[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Detecting Network Attack [re: exit synflooded]

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
From: tor@xxxxxxx
Date: Sat, 25 Nov 2017 14:58:31 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 25 Nov 2017 14:58:54 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1511639915; bh=exY3Bp8LgPozOS/kgVMo52GBh3mJvDu9DZSQTWc2fjY=; h=From:To:Subject:Date; b=GSBTzk0+QZTISZS1B1xYNNRmwmj1ET/1hb8VDsoQManVI0GAiUSFlIuhkjn/kjETO PGpy8N0p4WUo1uyMJPxeBX8wfKZaRCOC5Vv06p5lOqW3eUeSGunoGuGVO1xwIdJxzk TuX9odftGs1qeo5IeSMm5ZaMbiRV16WNzevuRcyU=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Well, it's still going on, and is pretty much ruining Libero :( . Running CentOS 6, here.

Actually, I think from what I'm seeing that it may not exactly be a synflood targeting Libero. I think Libero may be being (ab)used to do massive portscanning or similar.

Image should be visible below - it's normal statistics for the 18th through say, part of the 21st, messed up 22ed - 24th and on the 24th me trying different things in an attempt to mitigate (graph is from yesterday). Look at the SYN_SENT2 maximum.

When it's happening it can look like this:

# netstat -n | grep -c SYN
17696
#

Also one tiny part of the netstat looked like this:

tcp        0      1 64.113.32.29:33354          <external IP munged>:81            SYN_SENT
tcp        0      1 64.113.32.29:39659          <external IP munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:44247          <external IP munged>:87            SYN_SENT
tcp        0      1 64.113.32.29:42038          <external IP munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:42077          <external IP munged>:83           SYN_SENT
tcp        0      1 64.113.32.29:36282          <external IP munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:46023          <external IP munged>:8888           SYN_SENT

Port 8888 is supposedly opened up for listen by a virus.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
  - From: grarpamp

Prev by Author: Re: [tor-relays] Pretty sure our exit was being synflooded
Next by Author: Re: [tor-relays] Atlas is now Relay Search!
Previous by thread: Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
Next by thread: Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
Index(es):
- Author
- Thread