LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-21-2008, 03:04 PM   #1
zekmaster
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Rep: Reputation: 0
Unhappy kernel: possible SYN flooding on port 2790. Sending cookies.


Hello,

I am tried of flooders, my server went down over 15 times in 48 hours.

Can anyone please help me how to solve this issue ?

Someone is flooding and my server is going down. in /var/log/messages i am getting: kernel: possible SYN flooding on port 2790. Sending cookies.

I have to restart my Server to bring it back to stable via command: init 6

My Server is Using: lighttpd

I am not good with linux, please any of you, help me to stop this flood.

Waiting


Best Regards
Zek
 
Old 08-21-2008, 03:36 PM   #2
jlarsen
Member
 
Registered: Jan 2005
Location: Dallas, TX
Distribution: Slackware 14.1
Posts: 80

Rep: Reputation: 15
Do you have syn_cookies turned on? Check with:

Code:
cat /proc/sys/net/ipv4/tcp_syncookies
0 is off 1 is on.
If not on turn them on with:

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
in a startup script.

Last edited by jlarsen; 08-21-2008 at 03:36 PM. Reason: typo
 
Old 08-21-2008, 03:42 PM   #3
zekmaster
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Original Poster
Rep: Reputation: 0
it's already ON !

srv63:/# cat /proc/sys/net/ipv4/tcp_syncookies
1

Any other suggestion to stop this ?

Quote:
Aug 21 06:49:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 06:50:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 06:51:07 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:16:11 srv63 -- MARK --
Aug 21 07:23:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:24:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:25:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:26:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:27:24 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
Aug 21 07:32:00 srv63 kernel: possible SYN flooding on port 2790. Sending cookies.
and my iptables -L -n -v
Quote:
Chain INPUT (policy ACCEPT 3914K packets, 1321M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x17
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
37 1864 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3510K packets, 974M bytes)
pkts bytes target prot opt in out source destination

Chain SYN_FLOOD (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN !tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02

If there is a chance to stop this, please let me know how.

Last edited by zekmaster; 08-21-2008 at 03:52 PM.
 
Old 08-21-2008, 03:54 PM   #4
jlarsen
Member
 
Registered: Jan 2005
Location: Dallas, TX
Distribution: Slackware 14.1
Posts: 80

Rep: Reputation: 15
Quote:
Originally Posted by zekmaster View Post
it's already ON !
Oops, guess that's why the log says "Sending cookies"

Hang in there - I'm not a security expert, but there are some really knowledgeable people who read this forum.
 
Old 08-21-2008, 03:57 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
What service is running on 2790? The default is PLG Proxy, which I believe it's just a generic proxy similar to Squid. Why would that be running on your server? I didn't see any references to it on the lighttpd website.

If you're really being synflooded, the best thing to do is contact your ISP and see if they can put filtering in place to help out. There aren't a whole lot of effective options that you can put in place on your server itself if it's getting overwhelmed by sheer volume of requests.
 
Old 08-21-2008, 04:02 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
This might provide temporary relief (assuming the attacker doesn't simply move to another service port, and assuming you don't mind blocking tcp 2790).

# iptables -I INPUT 1 -p tcp --dport 2790 -j DROP

But, as was mentioned, if they're using up your whole pipe with their packets, you're going to need to talk with your ISP. DDoS is not particularly easy to stop.
 
Old 08-21-2008, 04:04 PM   #7
zekmaster
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Original Poster
Rep: Reputation: 0
I am running a Tracker with 115,000 peers.
XBTT is running on port 2790, when my tracker is going down, i tried to bring it back.

I am getting this error:

./xbt_tracker
bind failed: EADDRINUSE


I have to restart my server: init 6 to run XBTT again.

My XBTT tracker was online over 97 days without any problems, in the paste 48 hours, it's been down over 15 times.

I am very sure, someone is flooding on port: 2790 and crashing my XBT announce.

netstat -ant | grep SYN_RECV | wc -l
Quote:
389
cat /proc/sys/net/ipv4/tcp_max_syn_backlog
Quote:
3024
it was 1024, i made it 3024, my server RAM is 4GB.

My website is opening without any problem, just my XBTT software " Tracker " is crashing because of SYN Flood on 2790 port.

Is it possible to make rule in iptables to allow 30 request/second per IP ?

If more then 30 request per IP, firewall drop them & accept only 30 of them and allow other requests after 2-3 seconds.

if possible, please let me know how.

Last edited by zekmaster; 08-21-2008 at 04:43 PM.
 
Old 08-21-2008, 04:50 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by zekmaster View Post
Is it possible to make rule in iptables to allow 30 request/second per IP ?

If more then 30 request per IP, firewall drop them & accept only 30 of them and allow other requests after 2-3 seconds.

if possible, please let me know how.
I posted an example on how to do this a while back here.
 
Old 08-21-2008, 05:24 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
You should be able to restart the tracker without rebooting the system entirely. Do
Code:
$ sudo lsof -nPi |grep \:2790
Then you can kill the PID that is bound to port 2790 and you should be able to start your tracker again.
 
Old 08-21-2008, 06:05 PM   #10
zekmaster
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks Mates.

Thanks alot
 
Old 08-26-2008, 03:02 AM   #11
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 747

Rep: Reputation: 235Reputation: 235Reputation: 235
Shouldn't we look at what is actually coming on this port (eg, wireshark, tcpdump) before we start making solutions to problems we don't know the exact nature of? This could be anything from misconfigured clients, server, or kernel params, using syncookies when not really need, a faulty app, or one not able to handle the traffic it's getting. 115,000 peers all trying to hit one port at once? Can the app. handle that? Is there sufficient bandwidth on your connection? If this is a traffic flow problem, maybe check into traffic shaping (the /sbin/tc tool that often sits lonely). What exactly do you mean by "crashing"? Service doesn't respond, service segfaults, or box kernel panics?

Code:
./xbt_tracker
bind failed: EADDRINUSE
That looks like you're trying to start multiple copies of the same thing on the same port.

Are you really being attacked by some mystery attackers with unknown intentions that are hell-bent on flooding a relatively little-known service on an uncommon port, or is something just not working like it should/you think it should? "Entia non sunt multiplicanda praeter necessitatem."
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I protect myself against TCP SYN flooding? arkaan Linux - Security 8 04-16-2007 07:54 PM
UDP port 1900 flooding network? - Expert Advice Needed tbeehler Linux - Software 2 03-18-2007 08:48 PM
Possible SYN flooding? gbowden Linux - Security 7 02-08-2007 08:16 AM
Linux Script for Sending SYN packet winxandlinx Linux - Security 2 12-24-2006 01:09 PM
Port flooding from unknown source! djkhan77 Linux - Security 5 07-15-2006 08:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration