The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SYN flooding on port 80 and High 5 minute load average alert

Discussion in 'Security' started by monkey64, Jan 24, 2013.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    WHM is running CSF Firewall and I pay my Hosting partner for a Hardware Firewall which they claim they
    "provides limited protection against Denial Of Service (DoS) attacks."

    A recent email generated by CSF claimed a "High 5 minute load average alert", so I checked var/log/messages.
    In there, I found the line:

    "TCP: Possible SYN flooding on port 80. Sending cookies."

    It seems that there are a large amount of attempts to connect to Port 21 - FTP.
    I have this Port disabled in CSF Firewall and allow only the two IP's I ever need to use which prevents unauthorised access. However, it doesn't stop hackers hammering away at the server many times per second and drowning it in requests.

    I looked up the 200+ IP's and found they were all from the same district in China.
    I do get legitimate Chinese traffic so I can't block the whole country. I have a limit of 100 IP's I can block in CSF, so I could never block this amount.

    Is there anything more I should be doing as a "Responsible SysAdmin"?
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I moved this to the Security section for better visibility.

    If this problem is affecting the server's performance, one thing you have not mentioned is you can ask your hosting provider if they would be willing to block this in the hardware firewall or even upstream. Whether they will be willing to do this, however, will probably depend on how much effect it is having on the network as a whole.
     
  3. concerto49

    concerto49 Member

    Joined:
    Nov 1, 2012
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    This is definitely a data center or even the dedicated server providers' problem to be solving. You will need to work with them to see what kind of attacks you are getting and get them to work out how to prevent / deal with it.

    They should have the best tools and logs to analyze what's happening. Software firewalls such as CSF really don't help much against proper attacks aimed at you.
     
Loading...

Share This Page