Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
I'm getting a SYN flood attack from a google ips (66.249.85.109 and others).

IP Whois:
Reverse DNS (PTR record): google-proxy-66-249-85-109.google.com
ASN name (ISP): Google Inc.
Organization: Google Inc. (GOGL)
IP-range/subnet: 66.249.64.0/19 - 66.249.64.0 - 66.249.95.255
Logs:
Code:
Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59822 PROTO=TCP SPT=43436 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59823 PROTO=TCP SPT=39999 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59824 PROTO=TCP SPT=56989 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
Has anyone experienced this or have any idea of the reason for an ip google do this?
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
It is possible you are under a denial of service (DoS) attack. I would check your domain access logs to see if those IPs are actually browsing a site; if not, the source of the SYN is probably spoofed. It is not uncommon to spoof source IP addresses of well known providers for UDP floods or SYN floods because people are reluctant to block those IP addresses.

In other words, the traffic might not actually be from google because attacks can spoof the source address of the SYN. Generally I figure google has very good engineers so the odds of them actually attacking someone are very small.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
It is possible you are under a denial of service (DoS) attack. I would check your domain access logs to see if those IPs are actually browsing a site; if not, the source of the SYN is probably spoofed. It is not uncommon to spoof source IP addresses of well known providers for UDP floods or SYN floods because people are reluctant to block those IP addresses.

In other words, the traffic might not actually be from google because attacks can spoof the source address of the SYN. Generally I figure google has very good engineers so the odds of them actually attacking someone are very small.
I analyzed the logs, it is very likely that this IP is false.
Thanks for the help .