My server is sending SYN FLOOD attacks??

Issues related to configuring your network
Post Reply
ChipsOnFire
Posts: 3
Joined: 2019/10/29 09:30:50

My server is sending SYN FLOOD attacks??

Post by ChipsOnFire » 2019/10/29 10:32:58

My VPS provider has disabled my service, because they say that my server is sending SYN FLOOD attacks.
The server has been running quite happily for 3 years. CSF/LFD are loaded.

I now have only console access to the system, to try and 'clean it up'

How would I start this? How can I find a rogue process? I don't even know where to start here, so need some help!

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: My server is sending SYN FLOOD attacks??

Post by aks » 2019/10/31 20:43:09

I guess ss -ipt and look for high sends with low receives. The nethogs program could display the top used processes (network wise). Use ss -ntap
and look at the State field. Personally I'd start with ps and look for "strange" processes.

Although if you have been compromised you don't know if you can trust any of the tools on your machine.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: My server is sending SYN FLOOD attacks??

Post by aks » 2019/10/31 20:44:21

Also I'd expect something like:
kernel: possible SYN flooding on port X.
to be logged.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: My server is sending SYN FLOOD attacks??

Post by TrevorH » 2019/10/31 22:01:14

I think that's more likely to be seen if you are the target of a syn flood attack rather than being the one doing it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

anthonynorth
Posts: 7
Joined: 2019/11/01 17:21:30
Location: Brighton, UK

Re: My server is sending SYN FLOOD attacks??

Post by anthonynorth » 2019/11/05 17:18:57

If your system has been compromised the only way to 'clean it up' properly and know that it is safe is to create a fresh OS install and copy your applications and data across. There are so many backdoor apps that hackers can use that it is very hard to trust your machine once it has been compromised.

You could try an online penetration test such as https://pentest-tools.com/network-vulne ... ne-openvas to see what it finds.

Post Reply