Syn_recv

Jul 28, 2007

We are facing the sync attack on our server.

we are getting following logs when we do netstat -n command.

tcp 0 0 OurIP:80 91.164.212.89:21078 SYN_RECV
tcp 0 0 OurIP:80 222.131.23.202:13982 SYN_RECV
tcp 0 0 OurIP:80 196.217.111.63:20440 SYN_RECV
tcp 0 0 OurIP:80 82.254.9.34:17726 SYN_RECV
tcp 0 0 OurIP:80 90.8.229.172:11373 SYN_RECV
tcp 0 0 OurIP:80 84.190.80.131:38875 SYN_RECV
tcp 0 0 OurIP:80 80.200.64.25:57977 SYN_RECV
tcp 0 0 OurIP:80 86.202.45.181:20654 SYN_RECV

Please let us know how should we control this.

View 1 Replies


ADVERTISEMENT

100's Of SYN_RECV Connections

Jun 13, 2007

This problem might be related to phpBB 3.RC1, but I somewhat finds that hard to believe. The story:

Two days ago I upgradet our phpBB 2.0.22 forum to 3.0.RC1.

Since the update I have experienced some weirdness on the server. I have a script, that amongst other things, prints out how many active connections there are to the server at any time. This value has always been between 50 (nighttime) and 300 (80-100 users on the forum). But since the update, occasionally the number of connections climbs well above 800, the DDOS protection gets alarmed, and I get an email saying xx.xx.xx.xx ip adress was banned.

Soo... Today the alarms went of again, and this time i checked the ip address with the forums online users list, and it turned out it was a forum user, and I knew him. I called him up on the phone and asked what had happened.

To make a long story short:

1. Server behaves normally

2. User x opens browser, goes to the forum, and start browsing categories.

3. For each click the user makes, the server get 100 more open connections.

4. User x says that for each click he makes the forum grinds even closer to a halt.

While this is happening, other users are browsing the forum just fine, with no performance problems.

5. User x reaches 800+ open connections to the server, and are locked out.

I've checked with netstat, and all hanging connections from the ip in question are flagged SYN_RECV.

This happens not only to this user, but also a couple of others. Not many though.

Is it possible that phpBB3 never closes connections for some users? Pages never load completely, or would this have to be a client problem?

Any other reasons why so many SYN_RECV connections accumulate?

View 3 Replies View Related

Block DDOs SYN_RECV Attack

Dec 5, 2008

My server is under DDOS attack. Its getting more than 1000 SYN_RECV requests. Please let me know how can I protect my server from it.

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved