Date: Fri, 11 May 2012 16:15:48 -0600 From: "Chad Leigh Shire.Net LLC" <chad@shire.net> To: Chuck Swiger <cswiger@mac.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: question on SYN_SENT Message-ID: <0A88B145-82C4-4167-AD13-829CCAC6298F@shire.net> In-Reply-To: <4782C161-4B28-4276-9559-A54B711368F1@mac.com> References: <D8AF0C20-E2C0-44A4-89DF-B614F3DBBFF6@shire.net> <4782C161-4B28-4276-9559-A54B711368F1@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
> On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
>> it is my understanding that SYN_SENT is when MY SIDE sends out a =
request and is awaiting a reply?
>=20
> That's right.
>=20
>> One of the jails we run for a customer had hundreds (if not =
thousands) of attempts to connect from the 147. address you see below. =
It was exhausting resources so that new tcp connections could not be =
made until some closed.
>=20
> You have/had your jail opening connections to the webserver at IP =
147.237.76.155, not that IP trying to connect to you.
>=20
>> I added that address to a "pf" block statement to stop it but now we =
get a rolling connections in a "netstat -a" as show below (host. being a =
generic name used in place of actual host on our side). I am wondering =
if this shows something on our side trying to connect out? That is what =
it appears to me to be, which does not make sense.
>>=20
>>=20
>> tcp4 0 0 host.52562 147.237.76.155.http =
SYN_SENT
>> tcp4 0 0 host.52561 147.237.76.155.http =
SYN_SENT
>=20
> Yes, your side is trying to connect out.
> Unless you know better, it seems reasonable to gather that it's doing =
a DoS attack against:
Hi Chuck!
Thanks. I am investigating as this side should not be going out at all, =
but the SYN_SENT made me think it was.
Thanks
Chad
>=20
> % whois 147.237.76.155
> [ ... ]
> inetnum: 147.237.0.0 - 147.237.255.255
> netname: IL-GOVT-NET
> descr: Israeli Government Network
> country: IL
> admin-c: AT979-RIPE
> tech-c: TT441-RIPE
> status: ASSIGNED PI
> mnt-by: GOV-IL-DNS
> mnt-lower: GOV-IL-DNS
> mnt-routes: AS8867-MNT { ANY }
> mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 }
> source: RIPE # Filtered
>=20
> person: Admin Tehila
> address: Israel Ministry Of Finance
> address: 1 Netanel Lorech st
> address: Jerusalem Israel
> phone: +972 2 6664666
> fax-no: +972 2 6664650
> remarks: For ABUSE and security issues please contact
> remarks: email: abuse@tehila.gov.il
> remarks: or contact CERT.gov.il at report@CERT.gov.il
> nic-hdl: AT979-RIPE
> source: RIPE # Filtered
>=20
> Regards,
> --=20
> -Chuck
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0A88B145-82C4-4167-AD13-829CCAC6298F>