Interpreting ** RABHIT ** logs - Potential Attak - SYN?

Question

I am hosting a web on a Linux - Debian Wheezy x64. Our Web Server is LiteSpeed

• using APF-Firewall and DDoS-Defeat

Recently, we are getting logs of below sort, telling us it may be a potential attack (??), however searches allowing to understand this specific situation have bring zero useful results.

Could you please bring more light on this sort of logs? Should we should have to care about it? If yes, any suggestions?

www kernel: [2175206.842121]  ** RABHIT ** IN=eth0 OUT= MAC=02:00:00:5b:00:82:10:bd:18:e5:ff:80:08:00 SRC=195.39.196.50 DST=xx.xx.xx.xx LEN=44 TOS=0x08 PREC=0x00 TTL=52 ID=0 PROTO=TCP SPT=80 DPT=1 WINDOW=0 RES=0x00 ACK SYN URGP=0

The DST is of source the machine's IP

There is no plenty of repeated logs like this, 1-3 from time to time - different SRC IPs

Thank you

Answer 1

The packet looks almost like a legitimate SYN-ACK packet. The only part of the packet, which looks wrong, is the ephemeral port number. The ephemeral ports are supposed to be from 49152 and up, but in your packet, it is 1.

It looks like a possible SYN flood attack against 195.39.196.50. That IP is being attacked, and the attacker is spoofing your source IP address in the attack (the attacker is likely spoofing thousands of other addresses simultaneously). And the ephemeral port number is chosen by the attacker as well.

If that is indeed what is going on, it will be easy for the administrator to fend off this particular SYN flood, because they could just reject all SYN packets using 1 as ephemeral port.

A SYN flood is attempting to exhaust memory on the server. Each SYN packet received by that server will allocate some memory, which will stay allocated until the connection times out. You could reduce the impact on that server by ensuring that your firewall responds to the unrecognized packet with a RST packet. That way instead of having memory allocated until the connection times out, it will only be allocated for the few milliseconds it takes to send the SYN-ACK and get a RST back.