possible SYN flooding
Any idea what this is please.
kernel: [10718182.340062] possible SYN flooding on port 53. Sending cookies.
Out of the blue it started over the weekend.
Thinking it might be something to do with DNS I restarted the DNS service.
-
I removed all entries from CSF LFD blocklist and the errors appear to have subsided. Where I was seeing one every minute, I've now not seen one for the last 15 minutes. I'll monitor 0 -
It must have been a co-incidence as they started again. 0 -
Details on what a SYN flood attack is can be found here: SYN flood - Wikipedia If it is legitimately a SYN Flood attack, CSF has protection for that which can be configured (portflood, synflood protection) 0 -
I spent a huge part of my day yesterday trying to find an answer. But I've absolutely no idea what's causing it. It seems to have started on Friday night. I'm a bit confused as to it being on port 53, and concerened that it might be DNS related. Or would you suggest that I'm under a SYN flood attack ? Today I ran netstat -nta | egrep "State|53" and can see a number of entries on my port 53 tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.5:56332 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.32:49003 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.233:64038 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.1:40350 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.242:38055 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.129:63249 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.208:53976 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.135:46353 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.59:59682 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.120:47536 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.90:34748 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.161:55723 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.120:59579 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.165:52384 SYN_RECV tcp 0 0 xxx.xxx.xxx.xx:53 yyy.yy.240.93:55971 SYN_RECV
could these be related. Could anyone give any pointers to help me try and determine the root ?0 -
I thought i'd found the culprit, but alas not 0 -
OK here goes. I added 53;tcp;2;300
to the PORTFLOOD setting in CSF which started logging port flood messages in var/log/messages This setting allows 2 hits in a 300 second window. It might seem harsh, but at least it identified a range of IP's, all coming from Italy, For the time being i've blocked the whole of Italy in CC_Deny. Lets see what tomorrow brings.0 -
Yea they would definitely be related - the notification stated specifically that it was port 53 (DNS) that was being flooded. As far as the root cause of it? I wouldn't have a way to know, you'd have to identify a commonality - a lot of times (like I see you just responded with) they originate from the same location 0 -
May I run this scenario past you. Lets assume that this is a bot, or maybe even just a single computer. And it's firing DNS requests at me. However, these DNS packets are coming through innocent DNS servers (they are afterall DNS packets). Could I just be blocking IP's asscociated with DNS servers and subsequently backing myself in to a corner. 0 -
If you think about it if they've become vulnerable or compromised to broadcasting an attack like this, do you really want them to be able to continue to connect? 0
Please sign in to leave a comment.
Comments
9 comments