question on SYN_SENT

Chuck Swiger cswiger at
Fri May 11 23:08:59 UTC 2012

On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply?

That's right.

> One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147. address you see below.   It was exhausting resources so that new tcp connections could not be made until some closed.

You have/had your jail opening connections to the webserver at IP, not that IP trying to connect to you.

> I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat -a" as show below (host. being a generic name used in place of actual host on our side).   I am wondering if this shows something on our side trying to connect out?  That is what it appears to me to be, which does not make sense.
> tcp4       0      0 host.52562    SYN_SENT
> tcp4       0      0 host.52561    SYN_SENT

Yes, your side is trying to connect out.
Unless you know better, it seems reasonable to gather that it's doing a DoS attack against:

% whois
[ ... ]
inetnum: -
netname:      IL-GOVT-NET
descr:        Israeli Government Network
country:      IL
admin-c:      AT979-RIPE
tech-c:       TT441-RIPE
status:       ASSIGNED PI
mnt-by:       GOV-IL-DNS
mnt-lower:    GOV-IL-DNS
mnt-routes:   AS8867-MNT { ANY }
mnt-routes:   AS9116-MNT {^24-24 }
source:       RIPE # Filtered

person:         Admin Tehila
address:        Israel Ministry Of Finance
address:        1 Netanel Lorech st
address:        Jerusalem  Israel
phone:          +972 2 6664666
fax-no:         +972 2 6664650
remarks:        For ABUSE and security issues please contact
remarks:        email: abuse at
remarks:        or contact at report at
nic-hdl:        AT979-RIPE
source:         RIPE # Filtered


More information about the freebsd-questions mailing list