keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Any idea what this is please.

kernel: [10718182.340062] possible SYN flooding on port 53. Sending cookies.

Out of the blue it started over the weekend.
Thinking it might be something to do with DNS I restarted the DNS service.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
I removed all entries from CSF LFD blocklist and the errors appear to have subsided.
Where I was seeing one every minute, I've now not seen one for the last 15 minutes.

I'll monitor
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Details on what a SYN flood attack is can be found here: SYN flood - Wikipedia

If it is legitimately a SYN Flood attack, CSF has protection for that which can be configured (portflood, synflood protection)
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
I spent a huge part of my day yesterday trying to find an answer.
But I've absolutely no idea what's causing it.
It seems to have started on Friday night.

I'm a bit confused as to it being on port 53, and concerened that it might be DNS related.
Or would you suggest that I'm under a SYN flood attack ?

Today I ran

netstat -nta | egrep "State|53"

and can see a number of entries on my port 53

Code:
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.5:56332          SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.32:49003         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.233:64038        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.1:40350          SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.242:38055        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.129:63249        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.208:53976        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.135:46353        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.59:59682         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.120:47536        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.90:34748         SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.161:55723        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.120:59579        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.165:52384        SYN_RECV
tcp        0      0 xxx.xxx.xxx.xx:53           yyy.yy.240.93:55971         SYN_RECV
could these be related.

Could anyone give any pointers to help me try and determine the root ?
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
OK here goes.

I added
Code:
53;tcp;2;300
to the PORTFLOOD setting in CSF which started logging port flood messages in var/log/messages
This setting allows 2 hits in a 300 second window.

It might seem harsh, but at least it identified a range of IP's, all coming from Italy,
For the time being i've blocked the whole of Italy in CC_Deny.

Lets see what tomorrow brings.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Yea they would definitely be related - the notification stated specifically that it was port 53 (DNS) that was being flooded. As far as the root cause of it? I wouldn't have a way to know, you'd have to identify a commonality - a lot of times (like I see you just responded with) they originate from the same location
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
May I run this scenario past you.

Lets assume that this is a bot, or maybe even just a single computer.
And it's firing DNS requests at me.

However, these DNS packets are coming through innocent DNS servers (they are afterall DNS packets).
Could I just be blocking IP's asscociated with DNS servers and subsequently backing myself in to a corner.