English | Vietnamese
 

banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register   [Login] Loginhttp  | https  ]
 
Forum Index Thảo luận bảo mật Xin giúp đỡ, bị SYN Flood  XML
  [Question]   Xin giúp đỡ, bị SYN Flood 13/06/2009 09:07:31 (+0700) | #1 | 183409
kimkhue
Member
[Minus]    0    [Plus]
Joined: 07/05/2009 00:11:52
Messages: 10
Offline
[Profile] [PM]
Server của mình dường như đang bị syn flood, khi mình chạy lệnh
netstat -nap |grep SYN |wc -l
kết quả
667

Khi chạy lệnh
netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
1 established)
1 Foreign
18 LAST_ACK
20 CLOSE_WAIT
25 listEN
42 FIN_WAIT1
145 TIME_WAIT
184 FIN_WAIT2
354 ESTABLISHED
975 SYN_RECV

Mình thấy xuất hiện 1 số lượng SYN_RECV quá lớn.
Khi chạy netstat thì được nhiều kết quả giống như vậy
Code:
tcp        0      1 mail10.cloudproducts.n:http ntoska520199.oska.nt.:63054 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 134.66.38.59.broad.fs:62997 FIN_WAIT1
tcp        0  20441 mail10.cloudproducts.n:http ::ffff:222.177.29.:iclpv-pm FIN_WAIT1
tcp        0   4530 mail10.cloudproducts.n:http dsl88-249-9639.ttnet:rs-rmi FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.145.24.184:tram  FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:117.9.207.123:4716   FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:119.36.14:intraintra FIN_WAIT1
tcp        0  11521 mail10.cloudproducts.n:http ::ffff:119.36:cpq-tasksmart LAST_ACK
getnameinfo failed
tcp        0  11265 mail10.cloudproducts.n:http [UNKNOWN]:64910             LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.116.153.25:57930 FIN_WAIT1
tcp        0    531 mail10.cloudproducts.n:http ::ffff:123.23.142.18:tekpls FIN_WAIT1
tcp        0      0 mail10.cloudproducts.n:http ::ffff:125.58.224.1:cichlid TIME_WAIT
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27322 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27323 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27321 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27324 FIN_WAIT1
tcp        0      0 mail10.cloudproducts.n:http ::ffff:125.58.224.16:mimer  TIME_WAIT
tcp        0      0 mail10.cloudproducts.n:http ::ffff:125.58.224.16:linx   TIME_WAIT
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27318 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 254.2.214.222.broad.a:27317 FIN_WAIT1
tcp        0  19426 mail10.cloudproducts.n:http ::ffff:123.234.116.9:aal-lm FIN_WAIT1
tcp        0      0 mail10.cloudproducts.ne:ssh ::ffff:98.124.17:metricadbc ESTABLISHED
tcp        0      1 mail10.cloudproducts.n:http ::ffff:218.64.205.53:auris  FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.233.90.196:asi   FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.112.203.22:49153 FIN_WAIT1
tcp        0  11681 mail10.cloudproducts.n:http 77-102-160-178.cable.:55081 LAST_ACK
tcp        0   8591 mail10.cloudproducts.n:http ::ffff:116.71.73.35:42866   FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 58-27-168-234.wateen.n:4122 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:114.94.92.6:64331    FIN_WAIT1
tcp        0  11521 mail10.cloudproducts.n:http ::ffff:119.3:dmod-workspace LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http 66.160.55.123.broad.sm:6339 FIN_WAIT1
tcp        0  11617 mail10.cloudproducts.n:http ::ffff:94.1:composit-server LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http 66.160.55.123.broad.sm:6338 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.116.153.25:57835 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:122.230.42.107:43092 FIN_WAIT1
tcp        1  11521 mail10.cloudproducts.n:http 127.234.58.59.board.ly:9563 LAST_ACK
tcp        0  11617 mail10.cloudproducts.n:http ::ffff:120.92:netview-aix-9 LAST_ACK
tcp        1  20161 mail10.cloudproducts.n:http ::ffff:222.133.:ans-console LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http ::ffff:222.244:bullant-srap FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:222.94.235.30:6221   FIN_WAIT1
tcp        0  11296 mail10.cloudproducts.n:http dsl85-104-579:jdl-dbkitchen LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http ::ffff:125.38.168.53:crip   LAST_ACK
tcp        0      1 mail10.cloudproducts.n:http ::ffff:110.184.119.16:51383 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:123.114.248.91:6924  LAST_ACK
tcp        1  10081 mail10.cloudproducts.n:http 127.234.58.59.board.ly:8817 LAST_ACK
tcp        0   5761 mail10.cloudproducts.n:http 127.234.58.59.board.ly:9837 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:61.184.60.1:imtc-mcs FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 76.153.56.59.broad.fz:14670 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 20.89.27.117.broad.fz:16125 FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http ::ffff:61.189.48.167:qwave  FIN_WAIT1
tcp        0      1 mail10.cloudproducts.n:http 76.153.56.59.broad.fz:14657 FIN_WAIT1
tcp        1  12961 mail10.cloudproducts.n:http 127.234.58.59.board.ly:8962 LAST_ACK



Và khi chạy netstat -ant thì được
Code:
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:120.86.136.131:4451  ESTABLISHED
tcp        0  18928 ::ffff:98.124.176.60:80     ::ffff:115.240.142.161:4833 ESTABLISHED
tcp      430      0 ::ffff:98.124.176.60:80     ::ffff:220.233.30.243:53818 ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.97.51.92:1324    TIME_WAIT
tcp        0      1 ::ffff:98.124.176.60:80     ::ffff:59.93.82.133:1193    FIN_WAIT1
tcp      666      0 ::ffff:98.124.176.60:80     ::ffff:81.241.84.59:51643   ESTABLISHED
tcp        0  10136 ::ffff:98.124.176.60:80     ::ffff:124.42.78.181:7158   ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:218.19.44.33:13878   FIN_WAIT2
tcp      467      0 ::ffff:98.124.176.60:80     ::ffff:77.254.57.72:50343   ESTABLISHED
tcp        0   4321 ::ffff:98.124.176.60:80     ::ffff:222.69.35.98:62765   FIN_WAIT1
tcp        0   7201 ::ffff:98.124.176.60:80     ::ffff:222.69.35.98:62766   FIN_WAIT1
tcp        0   7201 ::ffff:98.124.176.60:80     ::ffff:222.69.35.98:62767   FIN_WAIT1
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:61.171.137.156:2962  FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:61.171.137.156:2963  ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:120.86.136.131:4467  ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1529    FIN_WAIT2
tcp        0      1 ::ffff:98.124.176.60:80     ::ffff:203.218.185.172:2014 FIN_WAIT1
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1528    FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:218.110.160.125:1697 ESTABLISHED
tcp        0  14680 ::ffff:98.124.176.60:22     ::ffff:117.2.1.238:49663    ESTABLISHED
tcp        0   8712 ::ffff:98.124.176.60:80     ::ffff:120.4.72.127:60449   ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1531    FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:220.233.30.243:53782 TIME_WAIT
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:220.233.30.243:53783 TIME_WAIT
tcp        0  13068 ::ffff:98.124.176.60:80     ::ffff:222.64.251.126:32723 ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1521    FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1523    FIN_WAIT2
tcp        0   8993 ::ffff:98.124.176.60:80     ::ffff:59.59.248.27:2755    FIN_WAIT1
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1525    FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:219.146.227.12:47713 FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:113.15.13.32:3391    TIME_WAIT
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:83.89.113.140:28090  TIME_WAIT
tcp        0  12960 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1239    ESTABLISHED
tcp      353      0 ::ffff:98.124.176.60:80     ::ffff:221.206.211.202:3286 ESTABLISHED
tcp        0  41760 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1238    ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:116.240.220.53:1306  ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:203.166.227.20:62102 TIME_WAIT
tcp      354      0 ::ffff:98.124.176.60:80     ::ffff:222.160.22.115:2752  ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:71.122.119.124:1908  FIN_WAIT2
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:71.122.119.124:1911  FIN_WAIT2
tcp      365      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1519    ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:117.22.1.254:1518    FIN_WAIT2
tcp        0  12672 ::ffff:98.124.176.60:80     ::ffff:222.30.77.24:55884   ESTABLISHED
tcp        0  11520 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1247    ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:58.208.168.95:1327   ESTABLISHED
tcp        0      0 ::ffff:98.124.176.60:80     ::ffff:218.66.14.133:43456  ESTABLISHED
tcp        0      1 ::ffff:98.124.176.60:80     ::ffff:61.156.142.193:2265  FIN_WAIT1
tcp        0  11520 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1244    ESTABLISHED
tcp        0  31020 ::ffff:98.124.176.60:80     ::ffff:58.33.132.119:6361   ESTABLISHED
tcp        0   8640 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1243    ESTABLISHED
tcp        0   8640 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1241    ESTABLISHED
tcp        0  11520 ::ffff:98.124.176.60:80     ::ffff:222.70.7.150:1240    ESTABLISHED

Mình đoán là mình bị "tấn công" từ cái ip 98.124.176.60 nhưng cách thức ra sao thì mình lại không đủ kiến thức để nhận biết.

Mong mọi người giúp mình cách ngăn chặn , server đã bị ddos liên tục 2 ngày rồi.
[Up] [Print Copy]
  [Question]   Xin giúp đỡ, bị SYN Flood 13/06/2009 12:10:37 (+0700) | #2 | 183419
mR.Bi
Member
[Minus]    0    [Plus]
Joined: 22/03/2006 13:17:49
Messages: 812
Offline
[Profile] [PM] [WWW]
ủa mình tưởng cái ip 98.124.176.60 là ip server của bạn chứ? sao lại nghi chính cái server của mình nhỉ smilie .
All of my life I have lived by a code and the code is simple: "honour your parent, love your woman and defend your children"
[Up] [Print Copy]
  [Question]   Xin giúp đỡ, bị SYN Flood 13/06/2009 16:10:27 (+0700) | #3 | 183430
kimkhue
Member
[Minus]    0    [Plus]
Joined: 07/05/2009 00:11:52
Messages: 10
Offline
[Profile] [PM]
á à mình nhầm smilie, đúng là kiến thức hạn hẹp có khác, bị 2 ngày nay nên đầu óc cũng lú luôn...

Vừa cài csf với thông số limit 1/s và burst 5 kèm theo sync_deflate, mình không biết cái thông số csf có ảnh hưởng đến traffic vn không ( ip động ) ?
[Up] [Print Copy]
  [Question]   Xin giúp đỡ, bị SYN Flood 14/06/2009 01:29:08 (+0700) | #4 | 183462
mfeng
Researcher
Joined: 29/10/2004 15:16:29
Messages: 243
Offline
[Profile] [PM]
Bạn tham khảo về cách thức kiện toàn TCP/IP Stack để hạn chế SYN attack:
http://www.securityfocus.com/infocus/1729

Do kết quả lệnh netstat không cho thấy các kết nối đang ở SYN_RECV nên chưa có kết luận được gì về nguồn tấn công.
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|