Secure a server used for a SYN attack

DrSchizo · 08-26-2016, 09:10 AM

Hi everybody,

My server has been used against my will for a SYN flood attack.

Code:

Attack detail : 20Kpps/6Mbps
dateTime                          srcIp:srcPort      dstIp:dstPort     protocol    flags    bytes       reason
2016.08.22 02:34:46 CEST   *.*.*.*:1615      *.*.*.*:28        TCP          SYN     40           ATTACK:TCP_SYN

I would like to restart it but I'm afraid that it will start again. Is there a quick fix to prevent this to happen? It doesn't need to be a loing term solution, since I'm planning to transfer all my website to another server and to close it down afterward. I just want it to be functional for the following week.

My server runs Debian, Apache, PHP and MySQL.

Unfortunately, I don't know how the request have been sent. Can I forbid my server to send external request, knowing that none of my website needs to do such a thing?

Thank you in advance for reading and maybe for answering!

Emerson · 08-26-2016, 09:50 AM

Compromised server stays offline. Investigate why it happened so you can secure your server better in the future.

lazydog · 08-26-2016, 01:14 PM

Since this server is compromised you cannot trust anything on including the Data. Hopefully you have full backups and can wipe and reinstall. But before placing it on the Internet again you have to really know and understand how the system got compromised to begin with.

24x7servermanagement · 08-29-2016, 07:02 AM

Agreed with Lazydog, you cannot trust the data. So really find out from which hosting account the attack is going on. It could be one of the account or all of them. So better to scan the accounts for malware. check the recent files changes, review all server logs. One by one if you find the account is clean, move it to new server.