On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote: > it is my understanding that SYN_SENT is when MY SIDE sends out a request and > is awaiting a reply?
That's right. > One of the jails we run for a customer had hundreds (if not thousands) of > attempts to connect from the 147. address you see below. It was exhausting > resources so that new tcp connections could not be made until some closed. You have/had your jail opening connections to the webserver at IP 147.237.76.155, not that IP trying to connect to you. > I added that address to a "pf" block statement to stop it but now we get a > rolling connections in a "netstat -a" as show below (host. being a generic > name used in place of actual host on our side). I am wondering if this > shows something on our side trying to connect out? That is what it appears > to me to be, which does not make sense. > > > tcp4 0 0 host.52562 147.237.76.155.http SYN_SENT > tcp4 0 0 host.52561 147.237.76.155.http SYN_SENT Yes, your side is trying to connect out. Unless you know better, it seems reasonable to gather that it's doing a DoS attack against: % whois 147.237.76.155 [ ... ] inetnum: 147.237.0.0 - 147.237.255.255 netname: IL-GOVT-NET descr: Israeli Government Network country: IL admin-c: AT979-RIPE tech-c: TT441-RIPE status: ASSIGNED PI mnt-by: GOV-IL-DNS mnt-lower: GOV-IL-DNS mnt-routes: AS8867-MNT { ANY } mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 } source: RIPE # Filtered person: Admin Tehila address: Israel Ministry Of Finance address: 1 Netanel Lorech st address: Jerusalem Israel phone: +972 2 6664666 fax-no: +972 2 6664650 remarks: For ABUSE and security issues please contact remarks: email: ab...@tehila.gov.il remarks: or contact CERT.gov.il at rep...@cert.gov.il nic-hdl: AT979-RIPE source: RIPE # Filtered Regards, -- -Chuck _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"