kernel: possible SYN flooding on port 2790. Sending cookies.
Hello,
I am tried of flooders, my server went down over 15 times in 48 hours. Can anyone please help me how to solve this issue ? Someone is flooding and my server is going down. in /var/log/messages i am getting: kernel: possible SYN flooding on port 2790. Sending cookies. I have to restart my Server to bring it back to stable via command: init 6 My Server is Using: lighttpd I am not good with linux, please any of you, help me to stop this flood. Waiting Best Regards Zek |
Do you have syn_cookies turned on? Check with:
Code:
cat /proc/sys/net/ipv4/tcp_syncookies If not on turn them on with: Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
it's already ON !
srv63:/# cat /proc/sys/net/ipv4/tcp_syncookies 1 Any other suggestion to stop this ? Quote:
Quote:
If there is a chance to stop this, please let me know how. |
Quote:
Hang in there - I'm not a security expert, but there are some really knowledgeable people who read this forum. |
What service is running on 2790? The default is PLG Proxy, which I believe it's just a generic proxy similar to Squid. Why would that be running on your server? I didn't see any references to it on the lighttpd website.
If you're really being synflooded, the best thing to do is contact your ISP and see if they can put filtering in place to help out. There aren't a whole lot of effective options that you can put in place on your server itself if it's getting overwhelmed by sheer volume of requests. |
This might provide temporary relief (assuming the attacker doesn't simply move to another service port, and assuming you don't mind blocking tcp 2790).
# iptables -I INPUT 1 -p tcp --dport 2790 -j DROP But, as was mentioned, if they're using up your whole pipe with their packets, you're going to need to talk with your ISP. DDoS is not particularly easy to stop. |
I am running a Tracker with 115,000 peers.
XBTT is running on port 2790, when my tracker is going down, i tried to bring it back. I am getting this error: ./xbt_tracker bind failed: EADDRINUSE I have to restart my server: init 6 to run XBTT again. My XBTT tracker was online over 97 days without any problems, in the paste 48 hours, it's been down over 15 times. I am very sure, someone is flooding on port: 2790 and crashing my XBT announce. netstat -ant | grep SYN_RECV | wc -l Quote:
Quote:
My website is opening without any problem, just my XBTT software " Tracker " is crashing because of SYN Flood on 2790 port. Is it possible to make rule in iptables to allow 30 request/second per IP ? If more then 30 request per IP, firewall drop them & accept only 30 of them and allow other requests after 2-3 seconds. if possible, please let me know how. |
Quote:
|
You should be able to restart the tracker without rebooting the system entirely. Do
Code:
$ sudo lsof -nPi |grep \:2790 |
Thanks Mates.
Thanks alot :) |
Shouldn't we look at what is actually coming on this port (eg, wireshark, tcpdump) before we start making solutions to problems we don't know the exact nature of? This could be anything from misconfigured clients, server, or kernel params, using syncookies when not really need, a faulty app, or one not able to handle the traffic it's getting. 115,000 peers all trying to hit one port at once? Can the app. handle that? Is there sufficient bandwidth on your connection? If this is a traffic flow problem, maybe check into traffic shaping (the /sbin/tc tool that often sits lonely). What exactly do you mean by "crashing"? Service doesn't respond, service segfaults, or box kernel panics?
Code:
./xbt_tracker Are you really being attacked by some mystery attackers with unknown intentions that are hell-bent on flooding a relatively little-known service on an uncommon port, or is something just not working like it should/you think it should? "Entia non sunt multiplicanda praeter necessitatem." |
All times are GMT -5. The time now is 11:58 AM. |