Page 1 of 1

CSF crash the server on receiving attacks

Posted: 05 Dec 2014, 13:37
by cesarlwh
I have CSF installed on all server and since last month I am receiving attacks with 15~30Mbps traffic and with CSF enabled the server crash, I need to access with KVM and disable the CSF than the server back to respond.

I am already enable SYN flood protection but not resolved.

Changed the size of tables of conntrack and not resolved(echo 65535 > /proc/sys/net/nf_conntrack_max). The server have 1Gbps bandwidth.

Have a solution to this? CSF can block this attacks? See part of logs:

Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=38558 PROTO=TCP SPT=61475 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0
Firewall: *SYNFLOOD Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=420 PROTO=TCP SPT=1866 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0
Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=59084 PROTO=TCP SPT=14681 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0
Firewall: *SYNFLOOD Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=19067 PROTO=TCP SPT=20818 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0
Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=4230 PROTO=TCP SPT=26995 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0
Firewall: *SYNFLOOD Blocked* IN=em1 OUT= MAC=00:a0:d1:eb:a5:d8:74:8e:f8:28:52:00:08:00 SRC=104.237.132.104 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=65496 PROTO=TCP SPT=32956 DPT=0 WINDOW=512 RES=0x00 SYN URGP=0

Server run cpanel, cloudlinux 6.5

Re: CSF crash the server on receiving attacks

Posted: 05 Dec 2014, 13:38
by cesarlwh
Blocking IP with "csf -d" not resolve too...