|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
George wrote:
> On Fri, Feb 13, 2004 at 05:38:04PM -0500, Kevin Brosius wrote:
>
> > Here's a general question about network attacks. I noticed yesterday
> > that I was receiving heavy network traffic, enough to flood my firewall
> > and take me off the net. After a little investigation, I find that I am
> > receiving a huge amount of TCP traffic from a single net address.
> > (sc-f100-01.extremenetworks.com - 63.251.106.30 in case anyone has
> > suggestions about reporting this)
>
> DShield.org has 100+ records of abuse from that host in the past 2 weeks
> - <http://www.dshield.org/ipinfo.php?ip=63.251.106.30&Submit=Submit>.
> According to that page, abuse reports should be sent to
> abuse@internap.com.
Excellent, this is very helpful. Thank you.
>
> > I let it go for about an hour, then
> > started dropping all network traffic from that IP.
>
> What are the characteristics of this traffic? Which ports are targetted?
> Are these purely SYNs, as the subject suggests? If so, are you operating
> any sort of service that's publically available, like a web server?
I haven't analyzed the incoming traffic, beyond noting the heavy load,
doing a netstat, and seeing the kernel mention "possible SYN flooding on
port 80". What's the best way to check that? I'm hoping Speakeasy will
jump on this fairly soon.
Yes, I have several public services running. Webservers on port 80 &
3000, cvs server. Mail is running also, receive only publicly.
--
Kevin
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|