[tor-relays] Detecting Network Attack [re: exit synflooded]
tor at t-3.net
tor at t-3.net
Sat Nov 25 19:58:31 UTC 2017
Well, it's still going on, and is pretty much ruining Libero :( .
Running CentOS 6, here.
Actually, I think from what I'm seeing that it may not exactly be a
synflood targeting Libero. I think Libero may be being (ab)used to do
massive portscanning or similar.
Image should be visible below - it's normal statistics for the 18th
through say, part of the 21st, messed up 22ed - 24th and on the 24th
me trying different things in an attempt to mitigate (graph is from
yesterday). Look at the SYN_SENT2 maximum.
When it's happening it can look like this:
# netstat -n | grep -c SYN
17696
#
Also one tiny part of the netstat looked like this:
tcp 0 1 64.113.32.29:33354 <external IP
munged>:81 SYN_SENT
tcp 0 1 64.113.32.29:39659 <external IP
munged>:8888 SYN_SENT
tcp 0 1 64.113.32.29:44247 <external IP
munged>:87 SYN_SENT
tcp 0 1 64.113.32.29:42038 <external IP
munged>:8888 SYN_SENT
tcp 0 1 64.113.32.29:42077 <external IP
munged>:83 SYN_SENT
tcp 0 1 64.113.32.29:36282 <external IP
munged>:8888 SYN_SENT
tcp 0 1 64.113.32.29:46023 <external IP
munged>:8888 SYN_SENT
Port 8888 is supposedly opened up for listen by a virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171125/d96c27f6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synflood.png
Type: image/png
Size: 46133 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171125/d96c27f6/attachment-0001.png>
More information about the tor-relays
mailing list