Kevin Brosius on 14 Feb 2004 02:45:03 -0000 |
George wrote: > On Fri, Feb 13, 2004 at 05:38:04PM -0500, Kevin Brosius wrote: > > > Here's a general question about network attacks. I noticed yesterday > > that I was receiving heavy network traffic, enough to flood my firewall > > and take me off the net. After a little investigation, I find that I am > > receiving a huge amount of TCP traffic from a single net address. > > (sc-f100-01.extremenetworks.com - 63.251.106.30 in case anyone has > > suggestions about reporting this) > > DShield.org has 100+ records of abuse from that host in the past 2 weeks > - <http://www.dshield.org/ipinfo.php?ip=63.251.106.30&Submit=Submit>. > According to that page, abuse reports should be sent to > abuse@internap.com. Excellent, this is very helpful. Thank you. > > > I let it go for about an hour, then > > started dropping all network traffic from that IP. > > What are the characteristics of this traffic? Which ports are targetted? > Are these purely SYNs, as the subject suggests? If so, are you operating > any sort of service that's publically available, like a web server? I haven't analyzed the incoming traffic, beyond noting the heavy load, doing a netstat, and seeing the kernel mention "possible SYN flooding on port 80". What's the best way to check that? I'm hoping Speakeasy will jump on this fairly soon. Yes, I have several public services running. Webservers on port 80 & 3000, cvs server. Mail is running also, receive only publicly. -- Kevin ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|