Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SYN flooding on port 80 and High 5 minute load average alert

Discussion in 'Security' started by monkey64, Jan 24, 2013.

  1. monkey64

    monkey64 Well-Known Member

    Nov 6, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    WHM is running CSF Firewall and I pay my Hosting partner for a Hardware Firewall which they claim they
    "provides limited protection against Denial Of Service (DoS) attacks."

    A recent email generated by CSF claimed a "High 5 minute load average alert", so I checked var/log/messages.
    In there, I found the line:

    "TCP: Possible SYN flooding on port 80. Sending cookies."

    It seems that there are a large amount of attempts to connect to Port 21 - FTP.
    I have this Port disabled in CSF Firewall and allow only the two IP's I ever need to use which prevents unauthorised access. However, it doesn't stop hackers hammering away at the server many times per second and drowning it in requests.

    I looked up the 200+ IP's and found they were all from the same district in China.
    I do get legitimate Chinese traffic so I can't block the whole country. I have a limit of 100 IP's I can block in CSF, so I could never block this amount.

    Is there anything more I should be doing as a "Responsible SysAdmin"?
  2. JaredR.

    JaredR. Well-Known Member

    Feb 25, 2010
    Likes Received:
    Trophy Points:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I moved this to the Security section for better visibility.

    If this problem is affecting the server's performance, one thing you have not mentioned is you can ask your hosting provider if they would be willing to block this in the hardware firewall or even upstream. Whether they will be willing to do this, however, will probably depend on how much effect it is having on the network as a whole.
  3. concerto49

    concerto49 Member

    Nov 1, 2012
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    This is definitely a data center or even the dedicated server providers' problem to be solving. You will need to work with them to see what kind of attacks you are getting and get them to work out how to prevent / deal with it.

    They should have the best tools and logs to analyze what's happening. Software firewalls such as CSF really don't help much against proper attacks aimed at you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice