The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SYN Flood from Google IPs

Discussion in 'Security' started by Rodrigo Gomes, Jun 28, 2016.

  1. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    26
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    I'm getting a SYN flood attack from a google ips (66.249.85.109 and others).

    IP Whois:
    Logs:
    Code:
    Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59822 PROTO=TCP SPT=43436 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
    Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59823 PROTO=TCP SPT=39999 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
    Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59824 PROTO=TCP SPT=56989 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
    Has anyone experienced this or have any idea of the reason for an ip google do this?
     
    #1 Rodrigo Gomes, Jun 28, 2016
    Last edited by a moderator: Jun 28, 2016
  2. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    26
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    CSF Port Flood Settings:

     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It is possible you are under a denial of service (DoS) attack. I would check your domain access logs to see if those IPs are actually browsing a site; if not, the source of the SYN is probably spoofed. It is not uncommon to spoof source IP addresses of well known providers for UDP floods or SYN floods because people are reluctant to block those IP addresses.

    In other words, the traffic might not actually be from google because attacks can spoof the source address of the SYN. Generally I figure google has very good engineers so the odds of them actually attacking someone are very small.
     
  4. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    26
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    I analyzed the logs, it is very likely that this IP is false.
    Thanks for the help .
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see the information in the earlier post was helpful. Thank you for updating us with the outcome.
     
Loading...

Share This Page