kernel: possible SYN flooding on port 2790. Sending cookies.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Aug 21 06:49:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 06:50:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 06:51:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:16:11 srv63 -- MARK --
Aug 21 07:23:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:24:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:25:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:26:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:27:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:32:00 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
What service is running on 2790? The default is PLG Proxy, which I believe it's just a generic proxy similar to Squid. Why would that be running on your server? I didn't see any references to it on the lighttpd website.
If you're really being synflooded, the best thing to do is contact your ISP and see if they can put filtering in place to help out. There aren't a whole lot of effective options that you can put in place on your server itself if it's getting overwhelmed by sheer volume of requests.
This might provide temporary relief (assuming the attacker doesn't simply move to another service port, and assuming you don't mind blocking tcp 2790).
# iptables -I INPUT 1 -p tcp --dport 2790 -j DROP
But, as was mentioned, if they're using up your whole pipe with their packets, you're going to need to talk with your ISP. DDoS is not particularly easy to stop.
Shouldn't we look at what is actually coming on this port (eg, wireshark, tcpdump) before we start making solutions to problems we don't know the exact nature of? This could be anything from misconfigured clients, server, or kernel params, using syncookies when not really need, a faulty app, or one not able to handle the traffic it's getting. 115,000 peers all trying to hit one port at once? Can the app. handle that? Is there sufficient bandwidth on your connection? If this is a traffic flow problem, maybe check into traffic shaping (the /sbin/tc tool that often sits lonely). What exactly do you mean by "crashing"? Service doesn't respond, service segfaults, or box kernel panics?
Code:
./xbt_tracker
bind failed: EADDRINUSE
That looks like you're trying to start multiple copies of the same thing on the same port.
Are you really being attacked by some mystery attackers with unknown intentions that are hell-bent on flooding a relatively little-known service on an uncommon port, or is something just not working like it should/you think it should? "Entia non sunt multiplicanda praeter necessitatem."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.