Writings Photos Code Contact Resume
The spammer or a DoS attack ? Doesn't really matter.

You are here

Submitted by msameer on Sun, 10/09/2006 - 6:55pm

So, I'm still a hardcore GNU/Linux administrator after all ?!

Apache "The webserver" is down. Looks like the master process gets killed by the kernel. That's weird.

Now what's interesting is the dmesg output:

TCP: Treason uncloaked! Peer 62.68.70.130:62537/80 shrinks window 1681427947:1681430707. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61105/80 shrinks window 288684489:288684490. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61107/80 shrinks window 285018062:285018063. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61137/80 shrinks window 282542156:282542157. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61161/80 shrinks window 305746809:305746810. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61185/80 shrinks window 341351133:341351134. Repaired.
TCP: Treason uncloaked! Peer 62.68.79.66:61213/80 shrinks window 356410419:356410420. Repaired.

Looks like the peer is playing bad games with my TCP/IP stack. Decreasing the window size. I guess that's why apache was holding too many connections. Something like 119 connections.

netstat output was interesting:

     88 CLOSE_WAIT
     21 SYN_RECV

I wouldn't know but I guessed that the high number of SYN requests is due gto the high number of half closed sockets.

The problem is that after I've decreased the CLOSE_WAIT time via:

echo 2 >  /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait

The number of TIME_WAIT started to increase.

echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait

Of course all the above might be incorrect or even nonsense. Let's see.

Comments

Submitted by Anonymous (not verified) on Wed, 20/09/2006 - 12:44pm

Yeah, this is a DoS attack. You should have just blocked the ip

Submitted by msameer on Wed, 20/09/2006 - 3:04pm

Wish I could. It wasn't one IP!

Submitted by Anonymous (not verified) on Wed, 20/09/2006 - 12:46pm

do you know any good ip tables tutorial?

Submitted by msameer on Wed, 20/09/2006 - 3:04pm

Nothing other than the howtos on netfilter.org :|

Submitted by Ammar Ibrahim (not verified) on Tue, 10/10/2006 - 1:07am

Shit, I see this all the time on my servers... if you reach a solution please share!

Submitted by laffin (not verified) on Tue, 19/02/2008 - 8:11pm

Yes .. we need a solution, i think my server is under DDOS attack ... how i can block the ip`s ?

Thank you!
laffin

Submitted by Anonymous (not verified) on Fri, 29/02/2008 - 10:40am

block it from mangle
it's the best solution

Submitted by Anonymous (not verified) on Wed, 21/05/2008 - 8:15am

You can use simple script;
#!/bin/bash

for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)
do
iptables -A INPUT -s $ATTACKER_IP -j DROP
done

Add new comment

Subscribe to /  digg  bookmark