The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sync attack on server

Discussion in 'General Discussion' started by its_joe, Aug 19, 2007.

  1. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello

    We have CentOS linux and WHM 11 on the server.

    We are facing sync attack. When you check the number of connection to the server using
    netstat -n
    we see a single IP have too many connection on the server. We ban the IP in the firewall (csf) and restarted the firewall . But still we can see that IP making connection on the server

    Also we killed the httpd and mysql and exim processes . And after 5 minuted we restarted the services. still we see that IP is has connection to the server.

    So please suggest me that how should I get rid of this IP from the server, so that when i run netstat -n I don't see the IP in the logs.

    Thanks
    its_joe
     
  2. approx

    approx Well-Known Member

    Joined:
    Mar 6, 2007
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    make sure that the ip is already on your firewall list by typing

    Code:
    iptables -nL
    
    see if the ip already there
     
  3. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    causes your machine to sends back a SYN+ACK on each connection. When it doesn't receive the acknowledgement (ACK), it drops the connection and stops the attack
     
  4. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
Loading...

Share This Page