SYN Flood from Google IPs

Rodrigo Gomes

• June 28, 2016 12:31

I'm getting a SYN flood attack from a google ips (66.249.85.109 and others). IP Whois: Reverse DNS (PTR record): google-proxy-66-249-85-109.google.com ASN name (ISP): Google Inc. Organization: Google Inc. (GOGL) IP-range/subnet: 66.249.64.0/19 - 66.249.64.0 - 66.249.95.255
Logs:
Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59822 PROTO=TCP SPT=43436 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0 Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59823 PROTO=TCP SPT=39999 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0 Jun 27 09:10:22 server10 kernel: Firewall: *SYNFLOOD Blocked* IN=enp0s3 OUT= MAC=08:00:27:72:68:82:00:24:38:be:ee:40:08:00 SRC=66.249.85.109 DST=123.456.789.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=59824 PROTO=TCP SPT=56989 DPT=80 WINDOW=42780 RES=0x00 SYN URGP=0
Has anyone experienced this or have any idea of the reason for an ip google do this?

• 

  Rodrigo Gomes

  • June 28, 2016 17:38

  CSF Port Flood Settings: SYNFLOOD = 1 SYNFLOOD_RATE = 100/s SYNFLOOD_BURST = 150 PORTFLOOD = 80;tcp;500;5 UDPFLOOD = 0
  

  0
• 

  quizknows

  • June 28, 2016 23:37

  It is possible you are under a denial of service (DoS) attack. I would check your domain access logs to see if those IPs are actually browsing a site; if not, the source of the SYN is probably spoofed. It is not uncommon to spoof source IP addresses of well known providers for UDP floods or SYN floods because people are reluctant to block those IP addresses. In other words, the traffic might not actually be from google because attacks can spoof the source address of the SYN. Generally I figure google has very good engineers so the odds of them actually attacking someone are very small.

  0
• 

  Rodrigo Gomes

  • June 30, 2016 05:49

  It is possible you are under a denial of service (DoS) attack. I would check your domain access logs to see if those IPs are actually browsing a site; if not, the source of the SYN is probably spoofed. It is not uncommon to spoof source IP addresses of well known providers for UDP floods or SYN floods because people are reluctant to block those IP addresses. In other words, the traffic might not actually be from google because attacks can spoof the source address of the SYN. Generally I figure google has very good engineers so the odds of them actually attacking someone are very small.

  
  I analyzed the logs, it is very likely that this IP is false. Thanks for the help .

  0
• 

  cPanelMichael

  • June 30, 2016 13:24

  I analyzed the logs, it is very likely that this IP is false. Thanks for the help .

  
  Hello, I'm happy to see the information in the earlier post was helpful. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.