FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-20-2008, 03:48 PM
"Chris Heiner"
 
Default SYD flood dropped on Sendmail (centos 4.x)

My guys,


¬*


My firewall seems to block an attack my Centos / Sendmail
boxes on port 110. These servers require a reboot after each attack. My
firewall says it’s blocked? Do I need to patch something on sendmail? Or is
my firewall not doing its job (Sonicwall)? This is not the first time this has
happened.


¬*


¬*


11/20/2008 02:53:04.864 -¬*¬*¬*¬*¬*¬* SYN flood attack dropped
-¬*¬*¬*¬*¬* 75.2.205.141, 48102 -¬*¬* 10.80.80.210, 110


11/20/2008 03:08:04.864 -¬*¬*¬*¬*¬*¬* SYN flood attack dropped
-¬*¬*¬*¬*¬* 75.2.205.141, 64955, greatcooks.biz -¬*¬* 10.80.80.220, 110


11/20/2008 03:23:08.864 -¬*¬*¬*¬*¬*¬* SYN flood attack dropped
-¬*¬*¬*¬*¬* 75.2.205.141, 43068, greatcooks.biz -¬*¬* 10.80.80.210, 110


¬*


¬*


Any input would be much appreciated.


¬*


Thanks.


¬*







_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 06:31 PM
Kai Schaetzl
 
Default SYD flood dropped on Sendmail (centos 4.x)

Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:

> My firewall seems to block an attack my Centos / Sendmail boxes on port 110.

port 110 is your POP server, probably dovecot.

> These servers require a reboot after each attack.

Because of what?

> My firewall says it's
> blocked?

I don't see this statement in your logs. How/where does it say this?

> Do I need to patch something on sendmail? Or is my firewall not
> doing its job (Sonicwall)? This is not the first time this has happened.

SYN floods are not unusual, even if it is not an attack.
What or if you want to do something depends on your situation.



Kai

--
Kai Schštzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 06:55 PM
"Chris Heiner"
 
Default SYD flood dropped on Sendmail (centos 4.x)

What would you like to know about my situation? I have 6 servers running
Centos 4.x and every time I get a SYD flood on port 110 the servers require
a reboot (all of them). Its been going on for a few months.

I have blocked the first few IP's but now its random, every few weeks.

Its only my Centos boxes as I have others that are not affect by it.

Does the help?

Thanks in advance.

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Kai Schaetzl
Sent: Thursday, November 20, 2008 11:31 AM
To: centos@centos.org
Subject: Re: [CentOS] SYD flood dropped on Sendmail (centos 4.x)

Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:

> My firewall seems to block an attack my Centos / Sendmail boxes on port
110.

port 110 is your POP server, probably dovecot.

> These servers require a reboot after each attack.

Because of what?

> My firewall says it's
> blocked?

I don't see this statement in your logs. How/where does it say this?

> Do I need to patch something on sendmail? Or is my firewall not
> doing its job (Sonicwall)? This is not the first time this has happened.

SYN floods are not unusual, even if it is not an attack.
What or if you want to do something depends on your situation.



Kai

--
Kai Schštzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


----------------------------------------------
Gateway Anti-Spam Anti-Virus Protection by
Network Designs Inc. 949-727-3393
For a complete list of services go to
www.networkdesignsinc.com
----------------------------------------------

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 06:57 PM
"Chris Heiner"
 
Default SYD flood dropped on Sendmail (centos 4.x)

11/20/2008 02:53:04.864 - SYN flood attack dropped -
75.2.205.141, 48102 - 10.80.80.210, 110

11/20/2008 03:08:04.864 - SYN flood attack dropped -
75.2.205.141, 64955, greatcooks.biz - 10.80.80.220, 110

11/20/2008 03:23:08.864 - SYN flood attack dropped -
75.2.205.141, 43068, greatcooks.biz - 10.80.80.210, 110


These are the statements from my Firewall saying that it was dropped.

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Kai Schaetzl
Sent: Thursday, November 20, 2008 11:31 AM
To: centos@centos.org
Subject: Re: [CentOS] SYD flood dropped on Sendmail (centos 4.x)

Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:

> My firewall seems to block an attack my Centos / Sendmail boxes on port
110.

port 110 is your POP server, probably dovecot.

> These servers require a reboot after each attack.

Because of what?

> My firewall says it's
> blocked?

I don't see this statement in your logs. How/where does it say this?

> Do I need to patch something on sendmail? Or is my firewall not
> doing its job (Sonicwall)? This is not the first time this has happened.

SYN floods are not unusual, even if it is not an attack.
What or if you want to do something depends on your situation.



Kai

--
Kai Schštzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


----------------------------------------------
Gateway Anti-Spam Anti-Virus Protection by
Network Designs Inc. 949-727-3393
For a complete list of services go to
www.networkdesignsinc.com
----------------------------------------------

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 07:07 PM
Les Mikesell
 
Default SYD flood dropped on Sendmail (centos 4.x)

Kai Schaetzl wrote:

Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:


My firewall seems to block an attack my Centos / Sendmail boxes on port 110.


port 110 is your POP server, probably dovecot.


These servers require a reboot after each attack.


Because of what?


My firewall says it's
blocked?


I don't see this statement in your logs. How/where does it say this?


Do I need to patch something on sendmail? Or is my firewall not
doing its job (Sonicwall)? This is not the first time this has happened.


SYN floods are not unusual, even if it is not an attack.
What or if you want to do something depends on your situation.


If you have a popular server you can get what appear to be syn floods
from broken asymmetrical routing or bad firewall settings that permit
what would ordinarily be a normal number of client connection requests
to reach you but keep your response from getting back. So the clients
sit and retry, hammering you with syn's.


--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 07:24 PM
John Hinton
 
Default SYD flood dropped on Sendmail (centos 4.x)

Chris Heiner wrote:


My guys,

My firewall seems to block an attack my Centos / Sendmail boxes on
port 110. These servers require a reboot after each attack. My
firewall says it’s blocked? Do I need to patch something on sendmail?
Or is my firewall not doing its job (Sonicwall)? This is not the first
time this has happened.


11/20/2008 02:53:04.864 - SYN flood attack dropped - 75.2.205.141,
48102 - 10.80.80.210, 110


11/20/2008 03:08:04.864 - SYN flood attack dropped - 75.2.205.141,
64955, greatcooks.biz - 10.80.80.220, 110


11/20/2008 03:23:08.864 - SYN flood attack dropped - 75.2.205.141,
43068, greatcooks.biz - 10.80.80.210, 110


Any input would be much appreciated.

Thanks.


If these are to bogus email addresses, you might try letting sendmail
itself throttle the attacks. Look into sendmail's BAD_RCPT_THROTTLE.
This has done wonders for my systems.

John Hinton

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 07:38 PM
John Hinton
 
Default SYD flood dropped on Sendmail (centos 4.x)

John Hinton wrote:

Chris Heiner wrote:


My guys,

My firewall seems to block an attack my Centos / Sendmail boxes on
port 110. These servers require a reboot after each attack. My
firewall says it’s blocked? Do I need to patch something on sendmail?
Or is my firewall not doing its job (Sonicwall)? This is not the
first time this has happened.


11/20/2008 02:53:04.864 - SYN flood attack dropped - 75.2.205.141,
48102 - 10.80.80.210, 110


11/20/2008 03:08:04.864 - SYN flood attack dropped - 75.2.205.141,
64955, greatcooks.biz - 10.80.80.220, 110


11/20/2008 03:23:08.864 - SYN flood attack dropped - 75.2.205.141,
43068, greatcooks.biz - 10.80.80.210, 110


Any input would be much appreciated.

Thanks.


If these are to bogus email addresses, you might try letting sendmail
itself throttle the attacks. Look into sendmail's BAD_RCPT_THROTTLE.
This has done wonders for my systems.

John Hinton

Duh... obviously I can't read. Sorry.

John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 07:53 PM
Kai Schaetzl
 
Default SYD flood dropped on Sendmail (centos 4.x)

Chris, you still didn't answer *why* you have to reboot them. What exactly
is the symptom that makes you think you have to reboot?

I assume now that with "My firewall says it's blocked" you referred to the
drops? (Next time say so, as this wording is really ambiguous.)

> What would you like to know about my situation? I have 6 servers running

Yeah, so you are not a home user where one could rate-limit the port ;-)


Kai

--
Kai Schštzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 08:43 PM
"Chris Heiner"
 
Default SYD flood dropped on Sendmail (centos 4.x)

I get complaints about "the servers asking for username and password". I
started test@ accounts all many servers to try and track it down. And it
happens to all the servers that receive a SYN Flood. I.E. the problem with
each server co insides with firewall logs. It?s a pattern every few weeks,
sometimes a few servers sometimes 2 or 3 but it always matches up with the
firewall log. I now have emails sent to me to alert of a port 110 SYD flood
so I am aware of the problem before I get a full voicemail box from
complaints. Most of the time it's in the middle of the night at 2am to 3am
and the problem is resolved by start of business day. So that would rule out
heavy usage from my users as the network reports show that it's quiet. We
have 10 MB fiber connection and all traffic is logged at many levels.

I have tried restarting POP and SMTP in the past, but rebooting seems to
work and if there isn?t a fix I will have to continue this as I have many
other networking issues to resolve.

I just thought I would throw this problem out to the group and see if anyone
has any good ideas.

I have tracked this mail list for years and everyone is extremely
knowledgeable.

Thanks for any replies..


-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Kai Schaetzl
Sent: Thursday, November 20, 2008 12:53 PM
To: centos@centos.org
Subject: Re: [CentOS] SYD flood dropped on Sendmail (centos 4.x)

Chris, you still didn't answer *why* you have to reboot them. What exactly
is the symptom that makes you think you have to reboot?

I assume now that with "My firewall says it's blocked" you referred to the
drops? (Next time say so, as this wording is really ambiguous.)

> What would you like to know about my situation? I have 6 servers running

Yeah, so you are not a home user where one could rate-limit the port ;-)


Kai

--
Kai Schštzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


----------------------------------------------
Gateway Anti-Spam Anti-Virus Protection by
Network Designs Inc. 949-727-3393
For a complete list of services go to
www.networkdesignsinc.com
----------------------------------------------

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-20-2008, 08:46 PM
"Chris Heiner"
 
Default SYD flood dropped on Sendmail (centos 4.x)

Les,

I have had that issue before with high traffic users and you are correct,
but I think this may be another issue as the its an off hours issue.

Thanks

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Les Mikesell
Sent: Thursday, November 20, 2008 12:07 PM
To: CentOS mailing list
Subject: Re: [CentOS] SYD flood dropped on Sendmail (centos 4.x)

Kai Schaetzl wrote:
> Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:
>
>> My firewall seems to block an attack my Centos / Sendmail boxes on port
110.
>
> port 110 is your POP server, probably dovecot.
>
>> These servers require a reboot after each attack.
>
> Because of what?
>
>> My firewall says it's
>> blocked?
>
> I don't see this statement in your logs. How/where does it say this?
>
>> Do I need to patch something on sendmail? Or is my firewall not
>> doing its job (Sonicwall)? This is not the first time this has happened.
>
> SYN floods are not unusual, even if it is not an attack.
> What or if you want to do something depends on your situation.

If you have a popular server you can get what appear to be syn floods
from broken asymmetrical routing or bad firewall settings that permit
what would ordinarily be a normal number of client connection requests
to reach you but keep your response from getting back. So the clients
sit and retry, hammering you with syn's.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


----------------------------------------------
Gateway Anti-Spam Anti-Virus Protection by
Network Designs Inc. 949-727-3393
For a complete list of services go to
www.networkdesignsinc.com
----------------------------------------------

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org