are we getting hacked?

are we getting hacked?

Post by David Goldstei » Wed, 19 May 1999 04:00:00




> I logged into our internet gateway and noticed it was running very
> slow. Upon running top I found that in.inetd was consuming a lot of the
> system's cpu. I then ran to /var/log/messages and started reading. I
> noticed a lot of "ftp session closed" and "syn flooding". How can I
> track this down? Also, what does this mean? Following is an excerpt
> from the logfile: (btw, sendmail crashed from a lack of memory
> concerning this. perhaps it is something i misconfigured?)

Under networking options when you compile your kernel, you will see a
reference to SYN cookies. Make sure that you compile the kernel with
this feature on. That should handle the problem.  By the way, the help
file associated with this says that the ip address is probably not the
real one, so backtracking probably will not help you here.

> Dustin Puryear


David
 
 
 

are we getting hacked?

Post by Stefan Schlo » Thu, 20 May 1999 04:00:00




(from the original posting:)

Quote:>>May 17 16:07:19 mail kernel: Warning: possible SYN flood from
>>206.47.27.32 on 216.115.143.163:113.  Sending cookies.
>Under networking options when you compile your kernel, you will see a
>reference to SYN cookies. Make sure that you compile the kernel with
>this feature on. That should handle the problem.

I think he did so (kernel option "IP: syn cookies", #defines
CONFIG_SYN_COOKIES). Otherwise he would not get the "sending cookies"
log entry.

Stefan.

--
*-- Please cut here! --------------------------------- Thanks! --*

 PGP key-ID: 0x37F2A89D (available on key servers)
*----------------------------------------------------------------*

 
 
 

are we getting hacked?

Post by dpury.. » Thu, 20 May 1999 04:00:00





> > I logged into our internet gateway and noticed it was running very
> > slow. Upon running top I found that in.inetd was consuming a lot of
the
> > system's cpu. I then ran to /var/log/messages and started reading. I
> > noticed a lot of "ftp session closed" and "syn flooding". How can I
> > track this down? Also, what does this mean? Following is an excerpt
> > from the logfile: (btw, sendmail crashed from a lack of memory
> > concerning this. perhaps it is something i misconfigured?)

> Under networking options when you compile your kernel, you will see a
> reference to SYN cookies. Make sure that you compile the kernel with
> this feature on. That should handle the problem.  By the way, the help
> file associated with this says that the ip address is probably not the
> real one, so backtracking probably will not help you here.

I compile SYN cookies into every Linux machine we have. However, this
is the first time it has actually been used. :)

Anyway, is this always an attack and not some type of wierd
misconfiguration? Also, even with SYN cookies compiled in, will the
attack slow down my connection to the internet? I noticed that my
system load was pretty high when I was getting the messages. Also, the
speed of the internet connection wasn't all that great.

I assume that this type of attack is a denial of service attack? Also,
the only protection I have is the SYN cookie option? What else can I do?

---
Dustin Puryear

--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---