Hi All Unfortunately, one of my servers was under the SYN flooding attacks. The first attack happened 5 days ago and I had no chance to block it myself and the upstream provider blocked all incoming traffics for the IP that was targeted. Again, I had a SYN flooding attack again 7 hours ago and it was the 4th attack since I have had the first attack. I did everything those recommended to prevent this kind of attacks such as adding firewall, changing sysctl.conf, etc but no luck. I referred to the following links. http://en.wikipedia.org/wiki/SYN_flood http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks http://klaver.it/linux/sysctl.conf I increased the backlog size to 4096 and it has been full in a second such as the below. tcp 0 0 202.89.33.190:80 120.72.255.68:41754 SYN_RECV tcp 0 0 202.89.33.190:80 175.19.180.61:1798 SYN_RECV tcp 0 0 202.89.33.190:80 86.29.130.42:4973 SYN_RECV tcp 0 0 202.89.33.190:80 41.83.122.103:13855 SYN_RECV tcp 0 0 202.89.33.190:80 26.78.57.25:56608 SYN_RECV tcp 0 0 202.89.33.190:80 59.30.111.100:26740 SYN_RECV tcp 0 0 202.89.33.190:80 85.97.80.67:14969 SYN_RECV tcp 0 0 202.89.33.190:80 82.5.74.111:25716 SYN_RECV tcp 0 0 202.89.33.190:80 89.72.33.6:39257 SYN_RECV tcp 0 0 202.89.33.190:80 40.34.164.72:37654 SYN_RECV tcp 0 0 202.89.33.190:80 197.69.110.26:22564 SYN_RECV tcp 0 0 202.89.33.190:80 205.21.112.72:36145 SYN_RECV tcp 0 0 202.89.33.190:80 36.52.190.44:63293 SYN_RECV tcp 0 0 202.89.33.190:80 141.33.49.51:52561 SYN_RECV . . . The network engineer at the data centre said to me definitely they attacked to the DNS not IP address but I can not figure out how to find a DNS they have attacked. The first attack targeted to 202.89.33.191 and it blocked by the upstream provider by my request. The second attack targeted to 202.89.33.190. Please advise what I need to do at this stage? I am getting panic!!
No one can help me? I have a guy at the data centre and he suggested me to find out which domain is been attacked and then disable the DNS for that domain. However, I cannot figure out how to find it... and I had 4 times SYN flooding attacks in a week. Please please help.
You should be able to figure out by askin this guy, otherwise he does not know it based on any technical stuff more on an assumption. If you are the target e.g. by any botnet flooding you based on a fqdn list or random fqdn generation, you may have the change by changing the ip for the dns record. But I'd not know any method on how to resolve which dns name (or maybe names) the attackers were using, as soon as you are not able to dump traffic from the attacker(s) where the packets contain the host they try to request (e.g. web traffic). So one soultion would we something like: You may leave out the [src host <attackerIP>] if you do not want to reduce this to a special attacker IP adress. Later you can reanalyze the capture file .e.g with wireshar offsite to see whether the http packets ( in case you capture more than just syns) contain any fqdns. Alternatively you what check you httpd access or error logs for the sources of your attackers, which vhost the are assigned to. But what happens to you system, I mean is the amount of flood so high that you server is inoperable even when dropping the syn packets via iptables? Does your data center offer any kind of intelligent network device in "real hardware" like a firewall or IPS to filter out those floods?
Thanks Ben. I really appreciate your attention to the issue I have had. I have been talking with a guy at the data centre and he suggested a Network Shaper but we found that it shouldn't be a solution for this kind of attack. I will do the tcpdump if I been attacked again but hopefully no more attacks... Ben, do you also believe they attacked to DNS not IP? I don't have a website on my server that possibly being attacked. Please advise.
