Running netstat
is showing hundreds of this line, even after rebooting the server — it starts sending again, causing many connections to that IP.
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
I stopped all scripts, but it still keeps trying.
I know this means the IP is not responding to SYN_SENT
but how can I stop those SYN_SENT
? Or what is the best solution to this?
Thanks.
“SYN_SENT” signifies that local client has initiated a TCP socket to connect to a server socket. If acknowledged by the server, the client socket state will proceed to ESTABLISHED. “Established” state confirms end to end transport layer between local host and remote server or endpoint is complete.
SYN-SENT (or SYN) is a Packet within the Transmission Control Protocol (TCP) where the client having sent a connection request to the server and is waiting for the Server's SYN-ACK response.
This question seems to be getting many views but yet no answer, so I decided to answer my own question for anyone looking for a solution.
First thing first, knowing the reason is half of the solution. I was under what is called SYN Flooding Attack which uses HTTP protocol behavior against itself
The short of it is, remote client tries to establish a connection with your server by sending SYN, your server replies with SYN_ACK (in your logs you will see SYN_SENT) and will wait until it receives ACK. If ACK is not received within xx seconds, your server will send SYN_ACK again, .... and again.... and again. It will eventually reach the configured threshold and stop accepting any more SYN request making your server unresponsive. One of the symptoms which happened to me was that my website was responding once like nothing is wrong but not responding in the next xx times.
The solution that worked for me was enabling SYN cookies, SSH into your server, open the following file using your favorite editor. I'm using vi in this example
vi /etc/sysctl.conf
And add these lines to the file, then restart your server. Hopefully this will stop the attack as it did for me
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 3
I was using CentOS, I think the above solution will work on all distributions but in case it didn't search for "How to stop SYN Flooding Attack" for your linux distribution
On a side note, blocking the IPs initiating the SYN requests will probably not help because most likely the attacker has spoofed the IPs
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With