strange ddos question

jancat · 07-07-2008, 04:10 PM

http://img230.imageshack.us/my.php?image=doomkv6.jpg

floodkoruma is a script which securing our servers from syn floods. But I couldnt understand our connection lost from server on that screen. Last screen is it.

last log messages

Jul 7 19:41:27 server filelimits: Increasing file system limits succeeded
Jul 7 19:42:25 server kernel: printk: 234 messages suppressed.
Jul 7 19:42:30 server kernel: printk: 1026977 messages suppressed.
Jul 7 19:49:42 server syslogd 1.4.1: restart.
Jul 7 19:49:42 server syslog: syslogd startup succeeded

as you can see I rebooted from apc server. But before it

Jul 7 19:42:30 server kernel: printk: 1026977 messages suppressed.

Do you have any knowledge about it ? Thank you.

unSpawn · 07-07-2008, 05:51 PM

Quote:

Originally Posted by jancat

floodkoruma is a script which securing our servers from syn floods.

As far as I can see your socalled "floodkoruma" script is (somebody elses) "Ban Flooders" Eggdrop addon TCL script for banning flooders, which is not the same as the kernels SYN-cookie thing or iptables SYN filtering.

Quote:

Originally Posted by jancat

Jul 7 19:42:30 server kernel: printk: 1026977 messages suppressed.

It's telling you the kernel doesn't like printing 1026977 similar messages. I don't know what it surpressed because you don't show much logging but I doubt it'll be the "Increasing file system limits" message.

simonapnic · 07-08-2008, 07:45 AM

Looks like that floodkoruma script is causing a lot of CPU/memory load as you can see from the top, so I don't know how wise it is using it.
There are better SYN flood protections out there which I'm sure would deliver you better results than some eggdrop TCL addon script.
You should look into using iptables and packet filtering rules.

jancat · 07-08-2008, 09:22 AM

http://img148.yehhe.com/images/7336dddd.JPG

its not about floodkoruma. I closed it and result is this. server is crashing. how can I protect server from this attack.

jancat · 07-08-2008, 10:03 AM

kernel logs.

Jul 8 15:03:36 server kernel: printk: 195127 messages suppressed.
Jul 8 15:03:41 server kernel: printk: 195461 messages suppressed.
Jul 8 15:03:46 server kernel: printk: 196644 messages suppressed.
Jul 8 15:03:51 server kernel: printk: 196851 messages suppressed.
Jul 8 15:03:56 server kernel: printk: 199560 messages suppressed.
Jul 8 15:04:01 server kernel: printk: 171665 messages suppressed.
Jul 8 15:04:06 server kernel: printk: 184212 messages suppressed.
Jul 8 15:04:11 server kernel: printk: 160231 messages suppressed.
Jul 8 15:04:16 server kernel: printk: 168367 messages suppressed.
Jul 8 15:04:21 server kernel: printk: 193563 messages suppressed.
Jul 8 15:04:26 server kernel: printk: 185255 messages suppressed.
Jul 8 15:04:31 server kernel: printk: 207514 messages suppressed.
Jul 8 15:04:36 server kernel: printk: 212488 messages suppressed.
Jul 8 15:04:41 server kernel: printk: 214217 messages suppressed.
Jul 8 15:04:46 server kernel: printk: 214151 messages suppressed.
Jul 8 15:04:51 server kernel: printk: 214588 messages suppressed.
Jul 8 15:04:56 server kernel: printk: 214568 messages suppressed.
Jul 8 15:05:01 server kernel: printk: 214163 messages suppressed.
Jul 8 15:05:06 server kernel: printk: 213733 messages suppressed.
Jul 8 15:05:11 server kernel: printk: 213517 messages suppressed.
Jul 8 15:05:16 server kernel: printk: 214543 messages suppressed.

unSpawn · 07-08-2008, 10:58 AM

We'd be interested in reading lines *before* the "printk: n messages suppressed" one. Running 'grep -v suppressed /var/log/messages > /tmp/messages.$$' should give you interesting lines in file "/tmp/messages.$$", unless /var/log/messages was rotated in which case you want to check earlier /var/log/messages.* logs.