Hello guys,
Recently one of my shared servers received several hits from 2 or 3 IP addresses, these hits increased server load average to a huge number, I will paste the output kernel messages I got at the console while under this attack, what csf option would help me prevent this kind of attack? (ports 585 and 1270 are not allowed under tcp in csf configuration option):
Jul 3 18:58:34 gilmour kernel: [87017.722237] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=1446 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:37 gilmour kernel: [87020.721475] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=1641 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:56 gilmour kernel: [87039.727261] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=2756 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:59 gilmour kernel: [87042.723871] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=2927 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 10 09:52:00 gilmour kernel: [ 1108.768284] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=8333 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:02 gilmour kernel: [ 1110.770325] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=8337 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:17 gilmour kernel: [ 1125.734031] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=8347 DF PROTO=TCP SPT=41335 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:17 gilmour kernel: [ 1125.773136] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=8348 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
how to block this kind of attack
how to block this kind of attack
Last edited by hostmach on 23 Jul 2015, 15:15, edited 1 time in total.
Re: how to block this kind of attack
Secure IMAP (IMAP4-SSL) - port 585
Outlook or Apple Mail tries to connect to this port by default when configuring email. So, if you don't want to open that port just add it to the DROP_NOLOG option.
Microsoft Operations Manager 2000 - port 1270
As before, as the port is blocked in CSF add this port to the DROP_NOLOG option.
On the other hand, when posting try to hide the DST IP as that is the IP of your server.
Sergio
Outlook or Apple Mail tries to connect to this port by default when configuring email. So, if you don't want to open that port just add it to the DROP_NOLOG option.
Microsoft Operations Manager 2000 - port 1270
As before, as the port is blocked in CSF add this port to the DROP_NOLOG option.
On the other hand, when posting try to hide the DST IP as that is the IP of your server.
Sergio
Re: how to block this kind of attack
Sergio, how many ports can we add to the DROP_NOLOG option without affecting server performance?
-
- Junior Member
- Posts: 1
- Joined: 14 Jun 2018, 22:04
Re: how to block this kind of attack
This is also a common problem for the Mac users. I suggest you use a proxy server. Use any VPN which hides your actual IP and shows a dummy or other residential IP. Apple Support USA might help further.