Incidents
Spam and SYN Flood? Dec 18 2006 09:24PM
Curt LeCaptain (lecaptainc infinitytechnology com) (1 replies)
I'm new to the list, so if I'm in the wrong place e-mailing this
message, I apologize. For about the last 5-7 days, I've been noticing a
rather large amount of spam, all messages being sent to non-existant
addresses on our mail server, along with the majority of them showing up
as 0-byte e-mails with no FROM address. Alongside this, I had noticed
that even though after I blocked IP addresses via ipchains (yes, we're
not running iptables right now, I'm looking to switch but it's an older
server, so migration is coming to a box that does have iptables on it
rather than ipchains), I'm seeing a rather large amount of SYN_RECV
connections to port 25. This had created another issue, which was the
fact that all these syn connections were blocking mail access. We'd
stop and start sendmail, be able to receive connections for a short
time, then lose all connectivity via port 25. At this time was when I
had noticed these syn_recv connections.

I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to
4096, as well as shorten the amount of time that a SYN connection
existed on the server. What I'm looking for is, am I creating a denial
of service for myself, or is this coming from somewhere else that I'm
just not expecting. If so, is there a way to trace this, or not?

Example of syn_recv from netstat -anp output

tcp 0 0 x.x.x.x:25 196.40.74.40:4892 SYN_RECV
-
tcp 0 0 x.x.x.x:25 81.198.237.112:2609 SYN_RECV
-
tcp 0 0 x.x.x.x:25 85.37.219.136:18197 SYN_RECV
-
tcp 0 0 x.x.x.x:25 212.193.162.2:56128 SYN_RECV
-
tcp 0 0 x.x.x.x:25 193.25.197.69:57260 SYN_RECV
-
tcp 0 0 x.x.x.x:25 217.29.159.130:39079 SYN_RECV
-
tcp 0 0 x.x.x.x:25 89.180.62.116:3583 SYN_RECV
-
tcp 0 0 x.x.x.x:25 80.99.184.142:1509 SYN_RECV
-
tcp 0 0 x.x.x.x:25 195.205.36.110:55455 SYN_RECV
-
tcp 0 0 x.x.x.x:25 217.195.17.67:38192 SYN_RECV
-
tcp 0 0 x.x.x.x:25 220.110.2.106:51764 SYN_RECV
-
tcp 0 0 x.x.x.x:25 193.171.152.37:45375 SYN_RECV
-
tcp 0 0 x.x.x.x:25 85.158.136.35:10157 SYN_RECV
-
tcp 0 0 x.x.x.x:25 210.188.201.9:38873 SYN_RECV
-

(this can go on for about 1500 connections, so that's why only about 15
listed)

Any help is appriciated.

Curt L.

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: Spam and SYN Flood? Dec 21 2006 12:52AM
Peter Kosinar (goober ksp sk)


 

Privacy Statement
Copyright 2010, SecurityFocus