Results 1 to 3 of 3

Thread: syn attack

  1. #1

    syn attack

    I have a syn attack on one of my servers. I got it under control so it doesn't hurt the server (datacenter hardware), but just incase I want to find out which site is getting attacked so I can terminate it if the attack gets out of control. I checked all the main logs and all I come up with are lines like this:

    apache log:

    164-8 - 0/0/12 . 0.00 25312 0 0.0 0.00 0.27 203.147.x.xx h3RyOe5kPohmzucnb

    Is there any places I can look to determine which site is causing it.

    I tried putting a couple sites on dedicated ips, but the attack still hit the main ip.

    If it is hitting the main ip, what can I do? I can change all the sites ip to a new one, but the attack may find the new ip through a domain it is attacking.

    I have tried everything I can think of, but maybe I missed something, any help would be great.

    I had antidos blocking ips, but thats worthless when the attacker has more ips than I can count in a lifetime. I have time, there is no harm being done now, I just want to be safe for the future.

    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  2. #2
    Join Date
    Apr 2004
    hi SJRhosting,

    There have been a lot of syn attacks going on. The easiest way to fix things is to slowly move across each domain, then track which domain is causing the problem.

    The second idea is to:
    1) Create a script
    2) tail -f access log
    3) Parse access_log
    4) blacklist all ips that are incorrect in the access_log

    Im still looking for someone to help me in parsing either the access_log or the error_log.


  3. #3
    Join Date
    Jul 2005
    Im still looking for someone to help me in parsing either the access_log or the error_log.
    It's easy to do, if you'll show me a piece of your log, I'll write a perl script that lists all ips.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts