چجوری جلوی این حملاتو بگیرم syn (SYN_RECV) flood attacks

[Woshka]

In looking at the number of connections on the server, and the number of IP addresses that are sending SYN to Apache without making a complete connection, I have to agree with Danielle's assessment of the situation, and I would suggest blocking these IP addresses to see if that resolves the issue you're experiencing.

---------- Post added at 12:37 AM ---------- Previous post was at 12:08 AM ----------

سوال و جواب من در همین خصوص

first please accept my excuse but i wanted to know wether my apache maybe not optimized as far as i am sure thatt i have config it properly
it has resolved it by banning the sync ips that had more than 3 sample of those ips
but i am afraid these ips are real clients or not
one of my friends told me that one of them that i checked seems to be client ip addres

i have blocked the following



greetings,

it's quite alright, i just wanted to let you know that it's most efficient for us to be able to get the entire picture, especially if an issue has been discussed previously with other analysts.

It should be noted that syn_recv itself will occur with any connection to apache -- it's the syns that don't complete in a timely fashion that appear suspicious.

Here's a bash command you may find useful. It will list all ip addresses that are connecting to the server, but haven't completed a syn in 5 seconds:

(netstat -an | grep syn_recv; sleep 5; netstat -an | grep syn_recv) | awk '{print $5}' | sort | uniq -c | sort -n | awk '$1 > 1 { print $2 }' | awk -f: '{print $1}' | sort | uniq

the ip addresses may not be doing anything malicious, but it's worth investigating if you continue to see any issues. I don't see the current maxclients setting as being involved in any issues, but then again, i haven't seen this issue occur in real-time. It might be helpful if you re-open this ticket the next time that apache is completely down, and let us investigate the issue as it's happening.

[unkn0wn]

این حمله syn flood هست که خیلی ناجور هم هست.در حقیقت یه handshaking ناقص انجام میده.بن کردن ip فایده نداره.با توجه به اینکه میگین ip ها ایرانی هم هستن در حقیقت دارین سایت رو از دسترس ایرانی ها خارج میکنین.حمله هم با ip های fake داره انجام میشه (اینجور به نظر میاد)چون از 1000 تا ip که یدفعه dos صورت نمیگیره.مگه در حالنی که با pr0-x-y صورت بگیره که این همه p-r0;x-y با ip ایران کجا پیدا میشه ؟؟!!

[smartieuser]

کجا پیدا میشه ؟؟!!

پیدا میشه !! دلیلش هم عدم داشتن اطلاعات کافی مدیران شبکه ادارات و بعضی موسساته !

اینم گراف 5 دقیقه روتر میکروتیک با 18 مگ پهنای باند ! البته الان استفاده بالایی نداره دسترسی به پنلش هم موجود می باشد. ! :D

پروکسی هم به خدمت شون اضافه شده !

[Woshka]

من از هرکی پرسیدم گفتش باید دیتاسنتر برات یه کارای انجام بده
درسته ؟
در ضمن من که تو تاپیکم نو حمله رو syn_recv flood attack زدم
تشخیص بیماری خودش یه مهارته

حالا راحی برای مقابلش نمیشناسید؟

ممنون

[Roka]

جلوی این ها رو چجوری بگیرم
csf نصبه ولی هیچ غلطی نمیکنه

tcp 0 0 74.81.90.77:80 80.191.138.131:54662 SYN_RECV

جریان چیه ؟
آی پی ای که داره Attack میکنه ، به اسم دانشگاه کاشان هست !
Whois record for 80.191.138.131

[mohebali]

وشکا جون به نظرم برو دانشگاه کاشان بزن درب و داعونشون کن

[Woshka]

تازه اینکه چیزی نیست
یه بار whois گرفتم دیدم زده مرکز بهداستی درمانی گناون همچین جایی

اینها همه جا نفوز دارند


---------- Post added at 01:26 PM ---------- Previous post was at 01:22 PM ----------

ببا این بلاک کردنا ویزیت دیروز 2000 تا شد
پریروز 7000 تا بوده
یعنی 5000 تا کاهش p-:

---------- Post added at 01:38 PM ---------- Previous post was at 01:26 PM ----------

دوباره حمله

root@box01 [~]# netstat -an|grep SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1200 SYN_RECV
tcp 0 0 74.81.90.66:80 213.217.40.136:55677 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.193.3:1303 SYN_RECV
tcp 0 0 74.81.90.73:80 91.75.24.3:34748 SYN_RECV
tcp 0 0 74.81.90.77:80 217.218.209.34:12663 SYN_RECV
tcp 0 0 74.81.90.66:80 93.158.151.24:57468 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.97.160:1067 SYN_RECV
tcp 0 0 74.81.90.77:80 65.49.14.10:45540 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.246.4:11427 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:61466 SYN_RECV
tcp 0 0 74.81.90.77:80 188.136.142.7:56833 SYN_RECV
tcp 0 0 74.81.90.77:80 212.16.89.147:59788 SYN_RECV
tcp 0 0 74.81.90.77:80 79.127.122.10:3277 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:61508 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4343 SYN_RECV
tcp 0 0 74.81.90.73:80 91.75.24.3:37111 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:3402 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4324 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:4444 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4339 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.69.192:2479 SYN_RECV
tcp 0 0 74.81.90.77:80 86.96.228.86:9442 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.97.160:1041 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:3151 SYN_RECV
tcp 0 0 74.81.90.66:80 82.99.201.219:7372 SYN_RECV
tcp 0 0 74.81.90.77:80 85.185.238.162:61664 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.94.149:1361 SYN_RECV
tcp 0 0 74.81.90.77:80 92.50.19.81:4677 SYN_RECV
tcp 0 0 74.81.90.77:80 217.218.209.34:10772 SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1201 SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1191 SYN_RECV
tcp 0 0 74.81.90.74:80 213.207.216.224:49968 SYN_RECV
tcp 0 0 74.81.90.73:80 80.191.156.2:39827 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:2883 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.123.192:48353 SYN_RECV
tcp 0 0 74.81.90.77:80 94.182.236.5:55576 SYN_RECV
tcp 0 0 74.81.90.77:80 85.9.123.56:2226 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.123.192:39662 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:52984 SYN_RECV
tcp 0 0 74.81.90.77:80 78.157.59.226:60379 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.194.41:26819 SYN_RECV
tcp 0 0 74.81.90.77:80 213.217.40.100:18987 SYN_RECV
tcp 0 0 74.81.90.77:80 77.237.178.34:7117 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.69.192:2427 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.194.41:30527 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49239 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49214 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49222 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49217 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49229 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49242 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49224 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49219 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49221 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49216 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49218 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49220 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49227 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49235 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49233 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49249 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49248 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49234 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49215 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49223 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49237 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49226 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49230 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49243 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49238 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49228 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49231 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49250 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49232 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49246 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49245 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49247 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49240 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49251 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49252 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49225 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49253 SYN_RECV

---------- Post added at 01:38 PM ---------- Previous post was at 01:38 PM ----------

دوباره حمله

root@box01 [~]# netstat -an|grep SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1200 SYN_RECV
tcp 0 0 74.81.90.66:80 213.217.40.136:55677 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.193.3:1303 SYN_RECV
tcp 0 0 74.81.90.73:80 91.75.24.3:34748 SYN_RECV
tcp 0 0 74.81.90.77:80 217.218.209.34:12663 SYN_RECV
tcp 0 0 74.81.90.66:80 93.158.151.24:57468 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.97.160:1067 SYN_RECV
tcp 0 0 74.81.90.77:80 65.49.14.10:45540 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.246.4:11427 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:61466 SYN_RECV
tcp 0 0 74.81.90.77:80 188.136.142.7:56833 SYN_RECV
tcp 0 0 74.81.90.77:80 212.16.89.147:59788 SYN_RECV
tcp 0 0 74.81.90.77:80 79.127.122.10:3277 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:61508 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4343 SYN_RECV
tcp 0 0 74.81.90.73:80 91.75.24.3:37111 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:3402 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4324 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:4444 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.198.25:4339 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.69.192:2479 SYN_RECV
tcp 0 0 74.81.90.77:80 86.96.228.86:9442 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.97.160:1041 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:3151 SYN_RECV
tcp 0 0 74.81.90.66:80 82.99.201.219:7372 SYN_RECV
tcp 0 0 74.81.90.77:80 85.185.238.162:61664 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.94.149:1361 SYN_RECV
tcp 0 0 74.81.90.77:80 92.50.19.81:4677 SYN_RECV
tcp 0 0 74.81.90.77:80 217.218.209.34:10772 SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1201 SYN_RECV
tcp 0 0 74.81.90.77:80 95.38.24.254:1191 SYN_RECV
tcp 0 0 74.81.90.74:80 213.207.216.224:49968 SYN_RECV
tcp 0 0 74.81.90.73:80 80.191.156.2:39827 SYN_RECV
tcp 0 0 74.81.90.77:80 217.219.47.12:2883 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.123.192:48353 SYN_RECV
tcp 0 0 74.81.90.77:80 94.182.236.5:55576 SYN_RECV
tcp 0 0 74.81.90.77:80 85.9.123.56:2226 SYN_RECV
tcp 0 0 74.81.90.77:80 80.191.123.192:39662 SYN_RECV
tcp 0 0 74.81.90.77:80 91.186.212.14:52984 SYN_RECV
tcp 0 0 74.81.90.77:80 78.157.59.226:60379 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.194.41:26819 SYN_RECV
tcp 0 0 74.81.90.77:80 213.217.40.100:18987 SYN_RECV
tcp 0 0 74.81.90.77:80 77.237.178.34:7117 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.69.192:2427 SYN_RECV
tcp 0 0 74.81.90.77:80 78.39.194.41:30527 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49239 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49214 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49222 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49217 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49229 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49242 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49224 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49219 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49221 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49216 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49218 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49220 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49227 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49235 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49233 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49249 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49248 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49234 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49215 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49223 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49237 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49226 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49230 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49243 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49238 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49228 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49231 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49250 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49232 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49246 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49245 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49247 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49240 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49251 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49252 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49225 SYN_RECV
tcp 0 0 127.0.0.1:443 127.0.0.1:49253 SYN_RECV

[packsaft]

یکیشون هم پزشکی میخونه انگار کلاینت هم هست

شاید طرف هک کلاینت میکنه اینقدر آی پی دم دستشه

[Woshka]

MaxSpareServers رو کردم 500
شاید واقعا حمله نباشه !!!

[packsaft]

شاید گفته ممد هم درست باشه ها آی فریم بزارن

با فایل htaccess پهنای باند رو لیمیت کن به سایت خودت آی فریم از کار بیوفته ببین نتیجه چی میشه