Anyone know what kind of attack this is?

Tom Diehl tdiehl at rogueind.com
Fri Jan 7 04:55:46 UTC 2005 

Hi all,

I am experiencing some kind of attack on one of my web servers. I _think_
it might be a syn flood attack but I am not 100% sure. Can someone have a look
at the following log entries and try to give me an idea what is going on here and
the best way to stop/minimize this?

Jan  6 23:04:16 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=0 WINDOW=5840 RES=0x00 ACK URGP=0
Jan  6 23:04:18 taz last message repeated 2 times                                                   Jan  6 23:04:20 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00
 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=22 ID=24009 PROTO=TCP SPT=0 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  6 23:04:21 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=212 WINDOW=5840 RES=0x00 ACK URGP=0
Jan  6 23:04:21 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=128 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Jan  6 23:04:22 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=96 WINDOW=5840 RES=0x00 ACK URGP=0
Jan  6 23:04:23 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=0 WINDOW=5840 RES=0x00 ACK URGP=0
Jan  6 23:04:26 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=18 ID=30149 PROTO=TCP SPT=0 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0                                                                    Jan  6 23:04:26 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00
 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=22 ID=24012 PROTO=TCP SPT=0 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

66.92.236.xxx is dnatted to 192.168.1.9. Ethereal tells me that the packets
are empty.

This is a fully updated FC2 machine. FWIW I have blocked several /16's but
after an hour or so they move to another one. I do not like the idea of
blocking whole countries. :-(

Suggestions appreciated.

Regards,

Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com

More information about the users mailing list