View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions SYN Flood attack?
Log in to Ask a Question

SYN Flood attack?

general

My Linode and another server (different host, different location) have been experiencing what appears to be a SYNFLOOD attack this afternoon. I am seeing entries like this in netstat -nt:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 -----------------       86.171.83.244:54380     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:128       SYN_RECV
tcp        0      0 -----------------       86.171.83.244:32772     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:32871     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:176       SYN_RECV
tcp        0      0 -----------------       86.171.83.244:44        SYN_RECV
tcp        0      0 -----------------       86.171.83.244:8303      SYN_RECV
tcp        0      0 -----------------       86.171.83.244:144       SYN_RECV
tcp        0      0 -----------------       86.171.83.244:25        SYN_RECV
tcp        0      0 -----------------       86.171.83.244:140       SYN_RECV
tcp        0      0 -----------------       86.171.83.244:57382     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:38888     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:24650     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:72        SYN_RECV
tcp        0      0 -----------------       86.171.83.244:4111      SYN_RECV
tcp        0      0 -----------------       86.171.83.244:41336     SYN_RECV
tcp        0      0 -----------------       86.171.83.244:114       SYN_RECV

They do this for awhile with anywhere from 5 to 50 connections, and then suddenly it jumps to what I can only assume are tens or hundreds of thousands all at once. I did "netstat -nt > netstat.txt" and the resulting file was 335MB.

So far the addresses that have been used are:

81.151.10.149

81.157.27.35

81.157.120.178

86.174.135.10

81.157.27.35

86.130.29.153

81.157.29.153

81.157.121.196

86.130.232.208

81.157.121.84

86.167.204.202

81.159.53.103

86.140.65.99

86.130.29.34

31.52.128.129

31.54.93.215

81.159.55.88

86.171.83.244

I have CSF/LFD installed with syn flood enabled (1) and the rate set to 2/s with burst of 10. I have portflood set to 80;tcp;5;5 and connlimit set to 80;30. Nothing seems to be stopping these attacks. There are no entries at all for these IPs in my /var/log/messages, though other IPs are getting blocked per the firewall rules, and if I hammer my web server with requests from my smartphone, sure enough I get "SYN FLOOD blocked" in /var/log/messages. It's like CSF is immune to these specific IPs I'm being attacked from. I've checked, and they are not listed in my csf.allow file.

I tried enabling syn cookies by uncommenting "net.ipv4.tcp_syncookies=1" in /etc/sysctl.conf and restarting networking, but that doesn't seem to have had any effect.

The only way I've been able to block these is to put in rules to block 81.0.0.0/8, 86.0.0.0/8, etc. (a bit ham-fisted, but it's working for now). When I remove those rules, invariably within a few minutes another attack starts from a new IP address.

I wonder if anyone can help me figure out why I'm not able to stop this activity, or help me to understand what is going on.

7 Replies

Try the command sysctl -p - that should reload the /etc/sysctl.conf file.

I get:

net.ipv4.tcp_syncookies = 1

I had also rebooted the system, so I don't think it was a loading issue.

Attack seems to have stopped for now, so I'll have to continue to research and hopefully be better protected when it happens again.

I was running an old kernel. Updating to latest 3.5 seems to have CSF working now; the attacks have stopped and started a few times in the last 2 days and right now the connection limit and port flood settings are working. This is really annoying, though.

I would recommend reporting the attackers IP addresses to the company/individual in control of the address space providing the evidence, A good way to find an IP address' abuse email is through whois.

I've already done that, though I thought the IPs are typically spoofed? As long as the spoofed IP doesn't respond to an ACK then the attack will continue to work, right?

The attacks are all coming from British Telecom, but I haven't received a response from them. At least one other person is reporting the same issue.

I've set up a little script to scan netstat for SYN_RECV and if there are more than a few from one IP it just adds an iptables rule to drop the packets.

@haus:

I've already done that, though I thought the IPs are typically spoofed? As long as the spoofed IP doesn't respond to an ACK then the attack will continue to work, right?

The attacks are all coming from British Telecom, but I haven't received a response from them. At least one other person is reporting the same issue.

I've set up a little script to scan netstat for SYN_RECV and if there are more than a few from one IP it just adds an iptables rule to drop the packets.

I am aware spoofed attacks are possible but it is also likely that they could be using infected machines.

@TomM:

I am aware spoofed attacks are possible but it is also likely that they could be using infected machines.

True. The first thing I did was notify them and give them all the addresses I'd collected so far, along with some other information (including how to reach me). The ball is in their court, so to speak; that was 3 days ago.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct