netstat | grep www | wc -l
1138
I was seeing lots of 'SYN_RECV' on port 80 coming from one host. I've
tried the following iptables rules (from iptables-save). Kind of a mess,
as I've been trying multiple things to solve this problem.
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
I also disabled ipv6, which I was seeing a lot of from this host.
I am now seeing a lot of entries like this:
tcp0 0 192.168.1.240:www ba.2c.5646.static:34884
FIN_WAIT2
tcp0 0 192.168.1.240:www ba.2c.5646.static:33860
FIN_WAIT2
tcp0 0 192.168.1.240:www ba.2c.5646.static:33863
FIN_WAIT2
tcp1 0 192.168.1.240:www ba.2c.5646.static:44103
CLOSE_WAIT
tcp0 0 192.168.1.240:www ba.2c.5646.static:57671
ESTABLISHED
tcp0 0 192.168.1.240:www ba.2c.5646.static:57927
FIN_WAIT2
tcp0 0 192.168.1.240:www ba.2c.5646.static:57926
FIN_WAIT2
tcp0 0 192.168.1.240:www ba.2c.5646.static:58489
FIN_WAIT2
tcp1 0 192.168.1.240:www ba.2c.5646.static:57465
CLOSE_WAIT
tcp0 0 192.168.1.240:www ba.2c.5646.static:50041
FIN_WAIT2
tcp0 0 192.168.1.240:www ba.2c.5646.static:48251
FIN_WAIT2
tcp1 0 192.168.1.240:www ba.2c.5646.static:44155
CLOSE_WAIT
tcp0 0 192.168.1.240:www ba.2c.5646.static:55675
FIN_WAIT2
tcp1 0 192.168.1.240:www ba.2c.5646.static:41850
CLOSE_WAIT
tcp0 0 192.168.1.240:www ba.2c.5646.static:55674
FIN_WAIT2
tcp1 0 192.168.1.240:www ba.2c.5646.static:44413
CLOSE_WAIT
tcp0 0 192.168.1.240:www ba.2c.5646.static:59517
ESTABLISHED
tcp1 0 192.168.1.240:www ba.2c.5646.static:44401
CLOSE_WAIT
I've blocked this IP (resolves to 18255.com) on this machine using
iptables -I INPUT -s 66.116.125.131 -j DROP
This doesn't work, so perhaps it's a spoofed IP? *shrugs*
Any help would be appreciated, this is causing a bit of strain on my web
server. :/
-Will
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]