<html>
<head>
<style>
.sw_message P{margin:0px;padding:0px;}
.sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
.sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
.sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
.sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
.sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class="sw_message">
Well, it's still going on, and is pretty much ruining Libero :( . Running CentOS 6, here.<br><br>Actually, I think from what I'm seeing that it may not exactly be a synflood targeting Libero. I think Libero may be being (ab)used to do massive portscanning or similar.<br><br>Image should be visible below - it's normal statistics for the 18th through say, part of the 21st, messed up 22ed - 24th and on the 24th me trying different things in an attempt to mitigate (graph is from yesterday). Look at the SYN_SENT2 maximum.<br><br><img src="cid:1511638806@1988527872.728"><br><br>When it's happening it can look like this:<br><br># netstat -n | grep -c SYN<br>17696<br>#<br><br>Also one tiny part of the netstat looked like this:<br><br><br>tcp 0 1 64.113.32.29:33354 <external IP munged>:81 SYN_SENT <br>tcp 0 1 64.113.32.29:39659 <external IP munged>:8888 SYN_SENT <br>tcp 0 1 64.113.32.29:44247 <external IP munged>:87 SYN_SENT <br>tcp 0 1 64.113.32.29:42038 <external IP munged>:8888 SYN_SENT <br>tcp 0 1 64.113.32.29:42077 <external IP munged>:83 SYN_SENT <br>tcp 0 1 64.113.32.29:36282 <external IP munged>:8888 SYN_SENT <br>tcp 0 1 64.113.32.29:46023 <external IP munged>:8888 SYN_SENT<br><br>Port 8888 is supposedly opened up for listen by a virus.<br><br><div> </div>
</body></html>