Questions tagged [syn]

43 questions
9
votes
2 answers

tcpdump capture new connections only

I am using tcpdump to capture traffic from specific IP address. Is there the possibility to capture new connections only, meaning TCP streams that start with SYN packet?
Ania Katzenelson
  • 91
  • 1
  • 1
  • 2
9
votes
1 answer

No response to some SYN packets when timestamps are enabled

I have a TCP server listening on a machine ("the server") running Ubuntu 12.04.3 (kernel 3.8.0-31-generic). It receives connections from 2 different client machines. Machine A is running Ubuntu 12.04.4 (3.11.0-17-generic) and machine B is running…
user133831
  • 191
  • 1
  • 3
5
votes
3 answers

How to ban Syn Flood Attacks using Fail2Ban?

In my log, I am frequently seeing dropped ips like this: > Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT= > MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116 > DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212 > PROTO=TCP…
Neel
  • 1,421
  • 7
  • 21
  • 35
5
votes
1 answer

every minute - possible SYN flooding on port 80

On our Linux server from time to time we get well known SYN flood message: possible SYN flooding on port 80 this is probably not an attack because website traffic is big. However from some time those messages began to come every ~60 seconds. What i…
Nick
  • 786
  • 2
  • 12
  • 37
4
votes
3 answers

Lots of connections in SYN_RECV, not a SYN flood, is it some reflection attack?

Since at least a few months, issuing a netstat -t command on our web server, which has TCP ports 22, 80 and 443 exposed to the Internet, often reveals dozens of connections in SYN_RECV status: $ netstat -nt Active Internet connections (w/o…
Ale
  • 1,613
  • 17
  • 25
4
votes
0 answers

TCP connection stuck in SYN_RECV state despite ACK received

My client and server are both internal machines. tcpdump on both client and server show all three parts of handshake are communicated, however netstat on server shows SYN_RECV, and on client shows ESTABLISHED. The server keeps sending a syn-ack as…
Michael Yoon
  • 41
  • 1
  • 3
4
votes
2 answers

98% cpu usage on ubuntu server running apache, site is unresponsive

I run a server with apache2 on an ubuntu box. It is a crypto mining pool. Everything was running normal even with the large inflow of people accessing our site. Then out of nowhere our cpu usage across all 8 cores is at 98 to 100% I use a reverse…
4
votes
1 answer

problems simulating TCP SYN flood

I'm trying to simulate a TCP SYN flood to tune a web server (planning to deploy on AWS). I setup a 'target' VM, disabled iptables and running hping (hping -p 80 -i u1000 -c 1000 -S destaddr) from couple of local 'source' machines (filtering RST in…
Alex I
  • 81
  • 3
3
votes
1 answer

TCP SYN cookies are always turned on when enabled?

For Linux kernel 2.6.32 if I set net.ipv4.tcp_syncookies = 1 will that be always used or only during a SYN flood attack? I found 2 sources which say the opposite. 1: "There are, however, two caveats that take effect when SYN cookies are in use.…
defiler
  • 31
  • 3
3
votes
3 answers

better alternative for tcp_syncookies in linux

In an effort to prevent DDOS attacks I followed suggestions to leave /proc/sys/net/ipv4/tcp_syncookies value set to 1 in my linux box to enable TCP syncookies. However, when I look at this URL:…
user286228
3
votes
1 answer

Linux iptables - reject tcp SYN with RST

I am doing an implementation on a linux machine to reject incoming telnet requests from wan side telnet port 8023. The functionality is achieved by using the below iptables rules. The first rule in NAT prerouting chain to DNAT incoming tcp frames…
UserM
  • 53
  • 1
  • 1
  • 8
3
votes
1 answer

DDOS manual mitigation using command netstat. How to determine real attackers?

When my server is slow, I have been told to run this command and check if someone is making a request of SYN_RECV to slow down my server: netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort…
Kalib Zen
  • 137
  • 5
2
votes
1 answer

SYN packets never responded to with SYN/ACK

I'm having an issue with a tcp handshake that I can't find the answer to anywhere else. I have a program running on my local device that posts data to port 50000. In a terminal on the same machine, I use netcat to connect to the port. However, while…
Austin
  • 41
  • 6
2
votes
1 answer

Handle "possible SYN flooding on port 443. Sending cookies."

My website constantly has several users online all the time. The server uses Apache/PHP, database and Memcached. On normal use, the application works well and fast. However, the server appears to sometimes have "SYN flooding" attacks. I really…
Nuno
  • 461
  • 1
  • 5
  • 23
2
votes
1 answer

IPTABLES - block IPs that do not complete handshake/visit webpage

i am trying to figure out how to achieve something am not sure is achievable and need help. I did my research but couldnt find credible information. Hope this question is not duplicate. SET UP: I am using iptables as my firewall to block malicious…
baboon
  • 21
  • 4
1
2 3