Date: Fri, 11 May 2012 19:06:18 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: chad@shire.net, cswiger@mac.com Cc: freebsd-questions@freebsd.org Subject: Re: question on SYN_SENT Message-ID: <201205120006.q4C06Itk036463@mail.r-bonomi.com> In-Reply-To: <0A88B145-82C4-4167-AD13-829CCAC6298F@shire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> From owner-freebsd-questions@freebsd.org Fri May 11 17:19:29 2012
> From: "Chad Leigh Shire.Net LLC" <chad@shire.net>
> Date: Fri, 11 May 2012 16:15:48 -0600
> To: Chuck Swiger <cswiger@mac.com>
> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
> Subject: Re: question on SYN_SENT
>
>
> On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
>
> > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> >> it is my understanding that SYN_SENT is when MY SIDE sends out a reques
> >> t and is awaiting a reply?
> >
> > That's right.
> >
> >> One of the jails we run for a customer had hundreds (if not thousands) o
> >> f attempts to connect from the 147. address you see below.
Correction. As Chuck pointed out it is your box attempting to connect *TO*
that address.
> >> It was exha
> >> usting resources so that new tcp connections could not be made until som
> >> e closed.
> >
> > You have/had your jail opening connections to the webserver at IP 147.237
> > .76.155, not that IP trying to connect to you.
> >
> >> I added that address to a "pf" block statement to stop it but now we get
> >> a rolling connections in a "netstat -a" as show below (host. being a ge
> >> neric name used in place of actual host on our side). I am wondering i
> >> f this shows something on our side trying to connect out? That is what
> >> it appears to me to be, which does not make sense.
> >>
> >>
> >> tcp4 0 0 host.52562 147.237.76.155.http SYN_SENT
> >> tcp4 0 0 host.52561 147.237.76.155.http SYN_SENT
> >
> > Yes, your side is trying to connect out.
> > Unless you know better, it seems reasonable to gather that it's doing a D
> > oS attack against:
>
> Hi Chuck!
>
> Thanks. I am investigating as this side should not be going out at all, bu
> t the SYN_SENT made me think it was.
>
'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
to "go out".
There are at least a couple of possible explanations, none of them "good".
1) the jail is attempting a DoS (or participating in DDoS) against an
Israeli _government_ network/machine.
2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
instructions.
The webserver on the IP address listed has -extremely- 'suspicious' content,
to wit;
html>
body>
script>
document.cookie='fffffff=ee0333b9fffffff_ee0333b9; path=/';
window.location.href=window.location.href;
/script>
/body>
/html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205120006.q4C06Itk036463>