question on SYN_SENT
bonomi at mail.r-bonomi.com
Sat May 12 00:05:08 UTC 2012
> From owner-freebsd-questions at freebsd.org Fri May 11 17:19:29 2012
> From: "Chad Leigh Shire.Net LLC" <chad at shire.net>
> Date: Fri, 11 May 2012 16:15:48 -0600
> To: Chuck Swiger <cswiger at mac.com>
> Cc: FreeBSD Mailing List <freebsd-questions at freebsd.org>
> Subject: Re: question on SYN_SENT
> On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
> > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> >> it is my understanding that SYN_SENT is when MY SIDE sends out a reques
> >> t and is awaiting a reply?
> > That's right.
> >> One of the jails we run for a customer had hundreds (if not thousands) o
> >> f attempts to connect from the 147. address you see below.
Correction. As Chuck pointed out it is your box attempting to connect *TO*
> >> It was exha
> >> usting resources so that new tcp connections could not be made until som
> >> e closed.
> > You have/had your jail opening connections to the webserver at IP 147.237
> > .76.155, not that IP trying to connect to you.
> >> I added that address to a "pf" block statement to stop it but now we get
> >> a rolling connections in a "netstat -a" as show below (host. being a ge
> >> neric name used in place of actual host on our side). I am wondering i
> >> f this shows something on our side trying to connect out? That is what
> >> it appears to me to be, which does not make sense.
> >> tcp4 0 0 host.52562 18.104.22.168.http SYN_SENT
> >> tcp4 0 0 host.52561 22.214.171.124.http SYN_SENT
> > Yes, your side is trying to connect out.
> > Unless you know better, it seems reasonable to gather that it's doing a D
> > oS attack against:
> Hi Chuck!
> Thanks. I am investigating as this side should not be going out at all, bu
> t the SYN_SENT made me think it was.
'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
to "go out".
There are at least a couple of possible explanations, none of them "good".
1) the jail is attempting a DoS (or participating in DDoS) against an
Israeli _government_ network/machine.
2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
The webserver on the IP address listed has -extremely- 'suspicious' content,
More information about the freebsd-questions