SYN flooding attacks!

Discussion in 'Server Operation' started by holykim, Feb 14, 2012.

  1. holykim

    holykim Member

    Hi All

    Unfortunately, one of my servers was under the SYN flooding attacks.

    The first attack happened 5 days ago and I had no chance to block it myself and the upstream provider blocked all incoming traffics for the IP that was targeted.

    Again, I had a SYN flooding attack again 7 hours ago and it was the 4th attack since I have had the first attack.

    I did everything those recommended to prevent this kind of attacks such as adding firewall, changing sysctl.conf, etc but no luck. I referred to the following links.

    http://en.wikipedia.org/wiki/SYN_flood
    http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
    http://klaver.it/linux/sysctl.conf

    I increased the backlog size to 4096 and it has been full in a second such as the below.

    tcp 0 0 202.89.33.190:80 120.72.255.68:41754 SYN_RECV
    tcp 0 0 202.89.33.190:80 175.19.180.61:1798 SYN_RECV
    tcp 0 0 202.89.33.190:80 86.29.130.42:4973 SYN_RECV
    tcp 0 0 202.89.33.190:80 41.83.122.103:13855 SYN_RECV
    tcp 0 0 202.89.33.190:80 26.78.57.25:56608 SYN_RECV
    tcp 0 0 202.89.33.190:80 59.30.111.100:26740 SYN_RECV
    tcp 0 0 202.89.33.190:80 85.97.80.67:14969 SYN_RECV
    tcp 0 0 202.89.33.190:80 82.5.74.111:25716 SYN_RECV
    tcp 0 0 202.89.33.190:80 89.72.33.6:39257 SYN_RECV
    tcp 0 0 202.89.33.190:80 40.34.164.72:37654 SYN_RECV
    tcp 0 0 202.89.33.190:80 197.69.110.26:22564 SYN_RECV
    tcp 0 0 202.89.33.190:80 205.21.112.72:36145 SYN_RECV
    tcp 0 0 202.89.33.190:80 36.52.190.44:63293 SYN_RECV
    tcp 0 0 202.89.33.190:80 141.33.49.51:52561 SYN_RECV
    .
    .
    .


    The network engineer at the data centre said to me definitely they attacked to the DNS not IP address but I can not figure out how to find a DNS they have attacked.

    The first attack targeted to 202.89.33.191 and it blocked by the upstream provider by my request. The second attack targeted to 202.89.33.190.

    Please advise what I need to do at this stage? I am getting panic!!
     
  2. holykim

    holykim Member

    No one can help me?

    I have a guy at the data centre and he suggested me to find out which domain is been attacked and then disable the DNS for that domain.

    However, I cannot figure out how to find it... and I had 4 times SYN flooding attacks in a week. Please please help.
     
  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    You should be able to figure out by askin this guy, otherwise he does not know it based on any technical stuff more on an assumption.
    If you are the target e.g. by any botnet flooding you based on a fqdn list or random fqdn generation, you may have the change by changing the ip for the dns record.
    But I'd not know any method on how to resolve which dns name (or maybe names) the attackers were using, as soon as you are not able to dump traffic from the attacker(s) where the packets contain the host they try to request (e.g. web traffic). So one soultion would we something like:
    You may leave out the [src host <attackerIP>] if you do not want to reduce this to a special attacker IP adress. Later you can reanalyze the capture file .e.g with wireshar offsite to see whether the http packets ( in case you capture more than just syns) contain any fqdns.
    Alternatively you what check you httpd access or error logs for the sources of your attackers, which vhost the are assigned to.

    But what happens to you system, I mean is the amount of flood so high that you server is inoperable even when dropping the syn packets via iptables?
    Does your data center offer any kind of intelligent network device in "real hardware" like a firewall or IPS to filter out those floods?
     
    Last edited: Feb 15, 2012
  4. holykim

    holykim Member

    Thanks Ben.

    I really appreciate your attention to the issue I have had.

    I have been talking with a guy at the data centre and he suggested a Network Shaper but we found that it shouldn't be a solution for this kind of attack.

    I will do the tcpdump if I been attacked again but hopefully no more attacks...

    Ben, do you also believe they attacked to DNS not IP? I don't have a website on my server that possibly being attacked. Please advise.
     

Share This Page