Results 1 to 5 of 5
Thread: "TCP ZeroWindow" - attack?
-
01-25-2010, 03:27 AM #1Junior Guru Wannabe
- Join Date
- Jul 2009
- Posts
- 40
"TCP ZeroWindow" - attack?
What kind of attack is this? It looks like attack on webserver (apache), but during attack all resources was in normal (excluding +10Mbps BW), server was responsive and fast, CPU,RAM,netstat,apache all in normal
I have installed CSF firewall, but I didn't received any notice about attack, even I didn't find nothing in logs.
Attack stopped, when I blocked source IP in firewall...
Why CSF didn't noticed me?
-
01-25-2010, 04:54 AM #2Web Hosting Master
- Join Date
- Jul 2009
- Posts
- 1,568
It's not an attack. "TCP Window" is the amount of data that can be buffered at a time. When the system runs out of memory (or other resources), an ACK packet is sent on receiving data with a window size of zero and the client cannot send anymore data unless it receives a non-zero window size. If the buffer is available, a non-zero window size is sent with the ACK packet and the communication starts again.
You don't have to worry about it, it's an internal process.| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux
-
01-25-2010, 05:35 AM #3Junior Guru Wannabe
- Join Date
- Jul 2009
- Posts
- 40
If it's not an attack, look at this graph:
Data transfered in red square was transfered during system was sendig ACK packets, it takes 4 hours, then I blocked source IP...
It generated 10Mbps traffic and for 10 second of dumping was received 300.000 packets, usually it's 30.000 packets / 10 seconds.
I don't think, that this is normal. System was working as well and all these packets was received from 1 IP.
Only what I worry about is huge generated traffic. 4 hours is not a problem, but what if it runs 24h/day? It can generate 3TB/month and I must pay for transfered data...
-
01-25-2010, 08:12 AM #4Web Hosting Master
- Join Date
- Jul 2009
- Posts
- 1,568
Well, the previous graph wasn't that self explanatory. However, what was the output of "netstat" command during the time of attack?
netstat -alntp
CT_LIMIT
CT_INTERVAL
if you see a large number of SYN connections in netstat, configure the following parameters
SYNFLOOD
SYNFLOOD_RATE
SYNFLOOD_BURST| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux
-
01-25-2010, 09:17 AM #5Junior Guru Wannabe
- Join Date
- Jul 2009
- Posts
- 40
Thank you, this is exactly, what I was looking for
Similar Threads
-
How efficient are topic titles like "BLOWOUT", "SPECIAL" and "KILLER OFFER"?
By tinuzzo in forum Running a Web Hosting BusinessReplies: 18Last Post: 06-30-2009, 11:21 AM -
TCP port "altport" not found
By crazyaboutlinux in forum Hosting Security and TechnologyReplies: 2Last Post: 05-27-2009, 11:11 AM -
Michael Jackson ["the beer hunter,"] dies of a heart attack
By Biju in forum Web Hosting LoungeReplies: 3Last Post: 09-24-2007, 06:06 PM -
Site5 after "by Thehacker" hacker attack - No Support, No Daily BackUps!
By VadimWox in forum Web HostingReplies: 40Last Post: 08-12-2006, 01:38 PM -
Resellerzoom Server-Saturn, 12 hour and still running "DDoS attack"
By ClayGucci in forum Reseller HostingReplies: 26Last Post: 09-11-2005, 04:02 AM