Results 1 to 5 of 5
  1. #1
    Join Date
    Jul 2009
    Posts
    40

    "TCP ZeroWindow" - attack?

    What kind of attack is this? It looks like attack on webserver (apache), but during attack all resources was in normal (excluding +10Mbps BW), server was responsive and fast, CPU,RAM,netstat,apache all in normal
    Click image for larger version. 

Name:	attack.jpg 
Views:	222 
Size:	215.5 KB 
ID:	16231
    I have installed CSF firewall, but I didn't received any notice about attack, even I didn't find nothing in logs.
    Attack stopped, when I blocked source IP in firewall...
    Why CSF didn't noticed me?

  2. #2
    It's not an attack. "TCP Window" is the amount of data that can be buffered at a time. When the system runs out of memory (or other resources), an ACK packet is sent on receiving data with a window size of zero and the client cannot send anymore data unless it receives a non-zero window size. If the buffer is available, a non-zero window size is sent with the ACK packet and the communication starts again.

    You don't have to worry about it, it's an internal process.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  3. #3
    Join Date
    Jul 2009
    Posts
    40
    If it's not an attack, look at this graph:
    Click image for larger version. 

Name:	graf_load.gif 
Views:	120 
Size:	10.4 KB 
ID:	16232
    Data transfered in red square was transfered during system was sendig ACK packets, it takes 4 hours, then I blocked source IP...
    It generated 10Mbps traffic and for 10 second of dumping was received 300.000 packets, usually it's 30.000 packets / 10 seconds.
    I don't think, that this is normal. System was working as well and all these packets was received from 1 IP.
    Only what I worry about is huge generated traffic. 4 hours is not a problem, but what if it runs 24h/day? It can generate 3TB/month and I must pay for transfered data...

  4. #4
    Well, the previous graph wasn't that self explanatory. However, what was the output of "netstat" command during the time of attack?

    netstat -alntp
    Also CSF do not block such traffic itself. You need to configure the following parameters and restart CSF

    CT_LIMIT
    CT_INTERVAL
    and

    if you see a large number of SYN connections in netstat, configure the following parameters

    SYNFLOOD
    SYNFLOOD_RATE
    SYNFLOOD_BURST
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  5. #5
    Join Date
    Jul 2009
    Posts
    40
    Thank you, this is exactly, what I was looking for

Similar Threads

  1. How efficient are topic titles like "BLOWOUT", "SPECIAL" and "KILLER OFFER"?
    By tinuzzo in forum Running a Web Hosting Business
    Replies: 18
    Last Post: 06-30-2009, 11:21 AM
  2. TCP port "altport" not found
    By crazyaboutlinux in forum Hosting Security and Technology
    Replies: 2
    Last Post: 05-27-2009, 11:11 AM
  3. Replies: 3
    Last Post: 09-24-2007, 06:06 PM
  4. Replies: 40
    Last Post: 08-12-2006, 01:38 PM
  5. Replies: 26
    Last Post: 09-11-2005, 04:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •