possible SYN flooding

[keat63]

Any idea what this is please.

kernel: [10718182.340062] possible SYN flooding on port 53. Sending cookies.

Out of the blue it started over the weekend.
Thinking it might be something to do with DNS I restarted the DNS service.

 

[keat63]

I removed all entries from CSF LFD blocklist and the errors appear to have subsided.
Where I was seeing one every minute, I've now not seen one for the last 15 minutes.

I'll monitor

 

[keat63]

It must have been a co-incidence as they started again.

 

[cPanelLauren]

Details on what a SYN flood attack is can be found here: SYN flood - Wikipedia

If it is legitimately a SYN Flood attack, CSF has protection for that which can be configured (portflood, synflood protection)

 

[keat63]

I spent a huge part of my day yesterday trying to find an answer.
But I've absolutely no idea what's causing it.
It seems to have started on Friday night.

I'm a bit confused as to it being on port 53, and concerened that it might be DNS related.
Or would you suggest that I'm under a SYN flood attack ?

Today I ran

netstat -nta | egrep "State|53"

and can see a number of entries on my port 53

tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.5:56332          SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.32:49003         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.233:64038        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.1:40350          SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.242:38055        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.129:63249        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.208:53976        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.135:46353        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.59:59682         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.120:47536        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.90:34748         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.161:55723        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.120:59579        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.165:52384        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.93:55971         SYN_RECV

could these be related.

Could anyone give any pointers to help me try and determine the root ?

 

[keat63]

I thought i'd found the culprit, but alas not

 

[keat63]

OK here goes.

I added

53;tcp;2;300

to the PORTFLOOD setting in CSF which started logging port flood messages in var/log/messages
This setting allows 2 hits in a 300 second window.

It might seem harsh, but at least it identified a range of IP's, all coming from Italy,
For the time being i've blocked the whole of Italy in CC_Deny.

Lets see what tomorrow brings.

 

[cPanelLauren]

Yea they would definitely be related - the notification stated specifically that it was port 53 (DNS) that was being flooded. As far as the root cause of it? I wouldn't have a way to know, you'd have to identify a commonality - a lot of times (like I see you just responded with) they originate from the same location

 

[keat63]

May I run this scenario past you.

Lets assume that this is a bot, or maybe even just a single computer.
And it's firing DNS requests at me.

However, these DNS packets are coming through innocent DNS servers (they are afterall DNS packets).
Could I just be blocking IP's asscociated with DNS servers and subsequently backing myself in to a corner.

 

[cPanelLauren]

If you think about it if they've become vulnerable or compromised to broadcasting an attack like this, do you really want them to be able to continue to connect?