[tor-relays] Detecting Network Attack [re: exit synflooded]

tor at t-3.net tor at t-3.net
Sat Nov 25 19:58:31 UTC 2017


Well, it's still going on, and is pretty much ruining Libero :( . 
Running CentOS 6, here.

Actually, I think from what I'm seeing that it may not exactly be a 
synflood targeting Libero. I think Libero may be being (ab)used to do 
massive portscanning or similar.

Image should be visible below - it's normal statistics for the 18th 
through say, part of the 21st, messed up 22ed - 24th and on the 24th 
me trying different things in an attempt to mitigate (graph is from 
yesterday). Look at the SYN_SENT2 maximum.



When it's happening it can look like this:

# netstat -n | grep -c SYN
17696
#

Also one tiny part of the netstat looked like this:


tcp        0      1 64.113.32.29:33354          <external IP 
munged>:81            SYN_SENT
tcp        0      1 64.113.32.29:39659          <external IP 
munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:44247          <external IP 
munged>:87            SYN_SENT
tcp        0      1 64.113.32.29:42038          <external IP 
munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:42077          <external IP 
munged>:83           SYN_SENT
tcp        0      1 64.113.32.29:36282          <external IP 
munged>:8888         SYN_SENT
tcp        0      1 64.113.32.29:46023          <external IP 
munged>:8888           SYN_SENT

Port 8888 is supposedly opened up for listen by a virus.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171125/d96c27f6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synflood.png
Type: image/png
Size: 46133 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171125/d96c27f6/attachment-0001.png>


More information about the tor-relays mailing list