Security Incidents mailing list archives
Spam and SYN Flood?
From: "Curt LeCaptain" <lecaptainc () infinitytechnology com>
Date: Mon, 18 Dec 2006 15:24:05 -0600
I'm new to the list, so if I'm in the wrong place e-mailing this message, I apologize. For about the last 5-7 days, I've been noticing a rather large amount of spam, all messages being sent to non-existant addresses on our mail server, along with the majority of them showing up as 0-byte e-mails with no FROM address. Alongside this, I had noticed that even though after I blocked IP addresses via ipchains (yes, we're not running iptables right now, I'm looking to switch but it's an older server, so migration is coming to a box that does have iptables on it rather than ipchains), I'm seeing a rather large amount of SYN_RECV connections to port 25. This had created another issue, which was the fact that all these syn connections were blocking mail access. We'd stop and start sendmail, be able to receive connections for a short time, then lose all connectivity via port 25. At this time was when I had noticed these syn_recv connections. I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to 4096, as well as shorten the amount of time that a SYN connection existed on the server. What I'm looking for is, am I creating a denial of service for myself, or is this coming from somewhere else that I'm just not expecting. If so, is there a way to trace this, or not? Example of syn_recv from netstat -anp output tcp 0 0 x.x.x.x:25 196.40.74.40:4892 SYN_RECV - tcp 0 0 x.x.x.x:25 81.198.237.112:2609 SYN_RECV - tcp 0 0 x.x.x.x:25 85.37.219.136:18197 SYN_RECV - tcp 0 0 x.x.x.x:25 212.193.162.2:56128 SYN_RECV - tcp 0 0 x.x.x.x:25 193.25.197.69:57260 SYN_RECV - tcp 0 0 x.x.x.x:25 217.29.159.130:39079 SYN_RECV - tcp 0 0 x.x.x.x:25 89.180.62.116:3583 SYN_RECV - tcp 0 0 x.x.x.x:25 80.99.184.142:1509 SYN_RECV - tcp 0 0 x.x.x.x:25 195.205.36.110:55455 SYN_RECV - tcp 0 0 x.x.x.x:25 217.195.17.67:38192 SYN_RECV - tcp 0 0 x.x.x.x:25 220.110.2.106:51764 SYN_RECV - tcp 0 0 x.x.x.x:25 193.171.152.37:45375 SYN_RECV - tcp 0 0 x.x.x.x:25 85.158.136.35:10157 SYN_RECV - tcp 0 0 x.x.x.x:25 210.188.201.9:38873 SYN_RECV - (this can go on for about 1500 connections, so that's why only about 15 listed) Any help is appriciated. Curt L. ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Spam and SYN Flood? Curt LeCaptain (Dec 18)
- Re: Spam and SYN Flood? Peter Kosinar (Dec 21)