Re: Help with DOS attack

["Jonny K" <mrjk600@gmail.com>]

Well i realize that my system is down at 6am while the tcpsyncookies was 1

anything else

On 5/20/07, Joris Dobbelsteen <Joris@familiedobbelsteen.nl> wrote:
> Two things you probably want to do:
>
> 1)
> Enable Syn cookies (disables use of the TCP backlog). Its used in most
> systems to reduce the effects of a SYN flooding attack.
>
> 2)
> Contact your ISP. They can usually help you with such problems. In
> general they are not happy with attacks directed to their networks.
>
> - Joris
>
> >-----Original Message-----
> >From: netfilter-bounces@lists.netfilter.org
> >[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jonny K
> >Sent: zondag 20 mei 2007 7:28
> >To: netfilter@lists.netfilter.org
> >Subject: Re: Help with DOS attack
> >
> >> it looks like someone dos attack my server any ideas how i
> >can handle
> >> it ?
> >>
> >> (i allready sysctl and change the backlog queue to 4096
> >insted of 1024   and i mange SYN timeout to 9 sec)
> >>
> >> any other ideas ?
> >>
> >>
> >> here is my netstat outputs
> >>
> >>
> >> [root@MYHOST ~]# netstat -an | grep SYN_REC  | wc
> >>     372    2232   33108
> >> [root@MYHOST ~]#
> >>
> >>
> >>
> >>
> >> Ip:
> >>     496709034 total packets received
> >>     0 forwarded
> >>
> >>     0 incoming packets discarded
> >>     496547054 incoming packets delivered
> >>     389034562 requests sent out
> >>     55 fragments dropped after timeout
> >>     499 reassemblies required
> >>     54 packets reassembled ok
> >>
> >>     55 packet reassembles failed
> >>     2 fragments received ok
> >> Icmp:
> >>     17083 ICMP messages received
> >>     25 input ICMP message failed.
> >>     ICMP input histogram:
> >>         destination unreachable: 11255
> >>
> >>         timeout in transit: 1579
> >>         source quenches: 353
> >>         echo requests: 3880
> >>         echo replies: 16
> >>     24339 ICMP messages sent
> >>     0 ICMP messages failed
> >>     ICMP output histogram:
> >>         destination unreachable: 20459
> >>
> >>         echo replies: 3880
> >> Tcp:
> >>     33725 active connections openings
> >>     38693945 passive connection openings
> >>     312156 failed connection attempts
> >>     521243 connection resets received
> >>     3 connections established
> >>
> >>     495811236 segments received
> >>     388303537 segments send out
> >>     14565173 segments retransmited
> >>     10279 bad segments received.
> >>     136512 resets sent
> >> Udp:
> >>     718164 packets received
> >>     571 packets to unknown port received.
> >>
> >>     0 packet receive errors
> >>     720360 packets sent
> >> TcpExt:
> >>     421 SYN cookies sent
> >>     99 SYN cookies received
> >>     43807 invalid SYN cookies received
> >>     1188232 resets received for embryonic SYN_RECV sockets
> >>
> >>     14 packets pruned from receive queue because of socket
> >buffer overrun
> >>     221 ICMP packets dropped because they were out-of-window
> >>     71 ICMP packets dropped because socket was locked
> >>     34829434 TCP sockets finished time wait in fast timer
> >>
> >>     2 time wait sockets recycled by time stamp
> >>     15358 packets rejects in established connections because
> >of timestamp
> >>     256833 delayed acks sent
> >>     2653 delayed acks further delayed because of locked socket
> >>
> >>     Quick ack mode was activated 119773 times
> >>     74580 times the listen queue of a socket overflowed
> >>     74580 SYNs to LISTEN sockets ignored
> >>     39205589 packets directly queued to recvmsg prequeue.
> >>     8376974 packets directly received from backlog
> >>
> >>     2265096902 packets directly received from prequeue
> >>     806823 packets header predicted
> >>     36687371 packets header predicted and directly queued to user
> >>     238781476 acknowledgments not containing data received
> >>
> >>     125709890 predicted acknowledgments
> >>     29275 times recovered from packet loss due to fast retransmit
> >>     1927589 times recovered from packet loss due to SACK data
> >>     1362 bad SACKs received
> >>     Detected reordering 6628 times using FACK
> >>
> >>     Detected reordering 4312 times using SACK
> >>     Detected reordering 4875 times using reno fast retransmit
> >>     Detected reordering 11976 times using time stamp
> >>     6435 congestion windows fully recovered
> >>
> >>     66640 congestion windows partially recovered using Hoe heuristic
> >>     TCPDSACKUndo: 957
> >>     16664 congestion windows recovered after partial ack
> >>     4188573 TCP data loss events
> >>     TCPLostRetransmit: 1192
> >>
> >>     5491 timeouts after reno fast retransmit
> >>     260050 timeouts after SACK recovery
> >>     200153 timeouts in loss state
> >>     6505780 fast retransmits
> >>     695080 forward retransmits
> >>     4881678 retransmits in slow start
> >>
> >>     1084146 other TCP timeouts
> >>     TCPRenoRecoveryFail: 14786
> >>     306771 sack retransmits failed
> >>     2225 times receiver scheduled too late for direct processing
> >>     294 packets collapsed in receive queue due to low socket buffer
> >>
> >>     121753 DSACKs sent for old packets
> >>     64 DSACKs sent for out of order packets
> >>     1007539 DSACKs received
> >>     1099 DSACKs for out of order packets received
> >>     10295 connections reset due to unexpected data
> >>
> >>     102 connections reset due to early user close
> >>     64688 connections aborted due to timeout
> >>
> >>
> >
> >