How to detect SYN attack

-
How to detect SYN attack?
During a SYN attack, the attacker is opening lots of connections to you server but never completes the TCP connection establishment process. The state of each connection will stay SYN_RECV. This is how to count such connections:
# netstat -anutp | grep SYN_RECV | wc -l
If the number is >30, it is likely that you are under a SYN attack.


However, I do not recommend to use netstat in automated scripts to monitor traffic. When you are under a real SYN attack, it may run too long and drain lots of CPU resources.
2) You can monitor live bandwidth of the attack using vnstat:
# vnstat -l -i eth0
It is a very useful tool that will definitely help you understand how powerful the attack is.
3) I also recommend you to install an advanced analogue of top called htop and also monitor how the attack affects your CPU resources. Launch htop:
# htop
Press F2, go to 'Display options' and choose 'Display threads in a different color'. You will see system interrupts in pink.
3) Take a look at the SYN packets (notice: ‘SYN segments’ or ‘segments with SYN flag set’ would be more correct, but who cares) - what do they have in common? You will need to replace or remove the interface name and the port number. '-c 100' means 'capture only 100 packets'.
# tcpdump -i eth0 -nn 'tcp port 80' and 'tcp[13] == 2' -c 100

Comments

Post a Comment

Popular Posts

Install and configure rsyslog Centralized logging server in CentOS

-
 Install and configure rsyslog Centralized logging server in CentOS 6.5 In this tutorial we will learn, how to install and configure rsyslog 7.6 version on RHEL 6.5/CentOS 6.5 .The scenario is, install and setup rsyslog Centralized Logging Server in RHEL/CentOS 6.5. All the logs from client servers will be sent to Centralized logging server i.e rsyslog server. Check Pre-installed rsyslog package Step 1: First of all check the rsyslog package is installed in your system.Generally by-default we get rsyslog version 5.x , after minimal installation of CentOS 6.x / RHEL 6.x We will install the latest rsyslog package. At the time of writing this post, rsyslog stable version 7.6 was available. You can find the latest package information from rsyslog official website Note: By default, RHEL 6.x and CentOS 6.x has rsyslog version 5.x. So here we will update the rsyslog with new version. You can get the rsyslog version information, by using below given two commands rpm -qa|grep rsyslog
Read more

How to fix postfix/smtp Network is unreachable error

-
While configuration postfix authentication getting the error status=deferred (delivery temporarily suspended: connect to smtp.office365.com[2603:1026:3:ca::2]:587: Network is unreachable) its because of you were not using IPv6/ wrong settings for ipv6. You can either use IPv4, or correct your IPv6 settings. [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      3956/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd [root@mailserver postfix]# vi /etc/postfix/main.cf [root@mailserver postfix]# systemctl restart postfix [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      4079/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd tcp6       0      0 :::25                   :::*                    LISTEN      407
Read more

Could not join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

-
Couldn't join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli root@HPUX:~# realm join --user=domainuser@windows.local  windows.local -v  * Resolving: _ldap._tcp.windows.local  * Resolving: windows.local  * Performing LDAP DSE lookup on: 192.168.20.24  * Successfully discovered: windows.local Password for domainuser@windows.local:  * Unconditionally checking packages  * Resolving required packages  ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli realm: Couldn't join realm: Necessary packages are not installed: root@HPUX:~# apt-get install sssd-tools sssd libnss-sss libpam-sss adcli Reading package lists... Done Building dependency tree Reading state information... Done adcli is already the newest version (0.8.1-1). libnss-sss is already the newest version (1.13.4-1ubuntu1.7). libpam-sss is already the newest version (1.13.4-1ubuntu1.7). sssd is already the newest version (1.13.4-1u
Read more