1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

http loads op childs with SYN_SEND

Discussion in 'Plesk for Linux - 8.x and Older' started by rembrandt, Nov 4, 2005.

  1. rembrandt

    rembrandt Guest

    0
     
    I have a little problem on one redhad server with PSA 7.5, apache opens loads of child processes, to muc, because with 5 to 6 minutes apache cant´t be reached. Only solution: restart apache, then it all starts over again.

    Here´s a small portion of a netstat output:
    Code:
    tcp  0 1 plesk.server:51034   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51029   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51028   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51031   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51030   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51025   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51024   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51027   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51026   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51005   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51004   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51007   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51006   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51001   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51000   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51003   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:51002   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:50997   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:50996   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:50999   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:50998   ip.ad.rr.ess:http    SYN_SENT
    tcp  0 1 plesk.server:50995   ip.ad.rr.ess:http    SYN_SENT
    
    The odd thing is, the connections are -all- to the same IPadress (which even can´t be reached over port 80).

    Can anyone tell me what the heck is going wrong and preferably hand me a solution?
     
  2. ShadowMan@

    ShadowMan@ Guest

    0
     
    Probably a syn flood attack, try blocking the IP address in the firewall.

    The IP can't be reached by port 80, probably since it's not another webserver, may be a zombied or infected PC.

    If you have not done so, I would recommend installing (at least the following):

    bw_mod
    mod_security
    APF/BFD

    and possibly customizing the Apache RLimit settings.

    Also in your firewall script (IPTABLES?) you can rate limit:
    Examples:
    -A FORWARD -i eth+ -p tcp --syn -m limit --limit 30/m -j ACCEPT
    -A FORWARD -p tcp --syn -m limit --limit 30/m -j ACCEPT
    -A FORWARD -p tcp -m tcp -m limit -i eth+ --tcp-flags SYN,RST,ACK SYN --limit 30/min -j ACCEPT
    -A FORWARD -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit 30/min -j ACCEPT
     
  3. rembrandt

    rembrandt Guest

    0
     
    Thx 4 the reply shadow, however i´ve blocked the IPadrress already (hell even the whole range) still nothing...
     
  4. ShadowMan@

    ShadowMan@ Guest

    0
     
    Strange, if an IP or range of IPs is blocked in the firewall, and firewall restarted, then those IPs should not be able to connect to your server.

    What exactly did you specify in the firewall to block the IPs??

    Should be something like:
    -A INPUT -s ip.add.re.ss/32 -i eth+ -j DROP
    (single IP)

    -A INPUT -s ip.add.re.ss/24 -i eth+ -j DROP
    (range of IPs, or /16 or /8)

    Since it does not specify any given ports, it blocks them from all ports on the server.
     
  5. rembrandt

    rembrandt Guest

    0
     
    I just put (first) the IPaddress in the "iptables-blocked-hosts" file and later the whole range, restarted iptables, but ... no go.. weird
     
  6. ShadowMan@

    ShadowMan@ Guest

    0
     
    That is very weird. I edited my earlier post, you could still install mod_security and bw_mod, and I suppose mod_dosevasive, and do the RLimit directives for Apache.
     
  7. rembrandt

    rembrandt Guest

    0
     
    My thoughets exactly: weird... uncomprehensible ....
     
  8. ShadowMan@

    ShadowMan@ Guest

    0
     
    I know you have probably already run RKHunter and CHKrootkit, right?

    And have you verified that the IP or range is not already listed (for whatever reason) in the allowed-hosts file? What IPTables control script are you using??
     
  9. mian

    mian Guest

    0
     
    try add -p to netstat to see what is sending the SYN's

    the reason your iptables rules aren't blocking it is because you're doing source: ip.addr.ess but the SYN's are coming FROM your machine going TO ip.addr.ress
     
  10. rembrandt

    rembrandt Guest

    0
     
    The reason the machine is sending, is/was because it received a lot of requests. "SYN_SENT" means that the server is trying to establish a connection.

    My solution for this incident: rebuild my conf files for iptables, they probably got screwed up editing, put the IPrange in the "blocked hosts", restarted iptables and: all was quiet again.

    Thx for all answers.
     
  11. mian

    mian Guest

    0
     
    your machine was sending SYN packets to port 80 (http) of ip.addr.ess. this means your machine was trying to connect to someone elses webserver. they were not trying to connect to yours because they wouldn't use port 80 as a source socket.
     
Loading...