Re: DoS problem.

[Matthew Baker <m () wheres co uk>]

Hi Jorge,

Looks like a SYN flood attack to me. If you are using linux on the 
servers then use syncookies[1] to stop this. They are not enabled by 
default because strictly speaking they are not rfc compliant.

To do this edit /etc/sysctl.conf and add this line:

net/ipv4/tcp_syncookies=1

Then apply the changes by running:

$ sysctl -p

[1] http://cr.yp.to/syncookies.html

Cheers,

Matt

Jorge Alfredo Garcia wrote:
> I have two dedicated servers, both hosted by the same provider and
> both on the same segmnet.
> I am under a denial of services attack but idont know exactaly how to stop it.
> Here is a piece of my netstat output:
>
> tcp        0      1 XX.XX.XX.AA:47561           XX.XX.XX.BB:80        
>      SYN_SENT
> tcp        0      1 XX.XX.XX.AA:47562           XX.XX.XX.BB:80        
>      SYN_SENT
> tcp        0      1 XX.XX.XX.AA:47565           XX.XX.XX.BB:80        
>      SYN_SENT
> tcp        0      1 XX.XX.XX.AA:47564           XX.XX.XX.BB:80        
>      SYN_SENT
> tcp        0      1 XX.XX.XX.AA:47567           XX.XX.XX.BB:80        
>      SYN_SENT
>
> Ok, XX.XX.XX.AA is the server i am in now.
> XX.XX.XX.BB is mine two and here are the connections:
>
> tcp        0      0 XX.XX.XX.BB:80              XX.XX.XX.AA:50749     
>      SYN_RECV
> tcp        0      0 XX.XX.XX.BB:80              XX.XX.XX.AA:50598     
>      SYN_RECV
> tcp        0      0 XX.XX.XX.BB:80              XX.XX.XX.AA:50309     
>      SYN_RECV
>
> I have thousands of this connections on both servers.
> I make iptables rules in both sites but the attack still running and
> the rules dont work.
>
> I cant understand how this attack can be made taking into account that
> the attacker isnt inside any of my servers.
> Why iptables rules dont work against this?
>
> Thanx in advance.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------