question on SYN_SENT
Chuck Swiger
cswiger at mac.com
Fri May 11 23:08:59 UTC 2012
On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply?
That's right.
> One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147. address you see below. It was exhausting resources so that new tcp connections could not be made until some closed.
You have/had your jail opening connections to the webserver at IP 147.237.76.155, not that IP trying to connect to you.
> I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat -a" as show below (host. being a generic name used in place of actual host on our side). I am wondering if this shows something on our side trying to connect out? That is what it appears to me to be, which does not make sense.
>
>
> tcp4 0 0 host.52562 147.237.76.155.http SYN_SENT
> tcp4 0 0 host.52561 147.237.76.155.http SYN_SENT
Yes, your side is trying to connect out.
Unless you know better, it seems reasonable to gather that it's doing a DoS attack against:
% whois 147.237.76.155
[ ... ]
inetnum: 147.237.0.0 - 147.237.255.255
netname: IL-GOVT-NET
descr: Israeli Government Network
country: IL
admin-c: AT979-RIPE
tech-c: TT441-RIPE
status: ASSIGNED PI
mnt-by: GOV-IL-DNS
mnt-lower: GOV-IL-DNS
mnt-routes: AS8867-MNT { ANY }
mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 }
source: RIPE # Filtered
person: Admin Tehila
address: Israel Ministry Of Finance
address: 1 Netanel Lorech st
address: Jerusalem Israel
phone: +972 2 6664666
fax-no: +972 2 6664650
remarks: For ABUSE and security issues please contact
remarks: email: abuse at tehila.gov.il
remarks: or contact CERT.gov.il at report at CERT.gov.il
nic-hdl: AT979-RIPE
source: RIPE # Filtered
Regards,
--
-Chuck
More information about the freebsd-questions
mailing list