Dos attacks, daily - is it normal frequency?

Discussion in 'Linux VPS/Dedicated - General' started by jeja7676, Mar 10, 2011.

  1. jeja7676

    jeja7676 Member

    Almost every day I get an e-mail from KH informing me that DOS or some other kind of attack happened on my primary domain.
    I get messages with content like this:

    Mar 10 09:14:42 host kernel: Firewall: *SYNFLOOD Blocked* IN=venet0 OUT= MAC= SRC=80.239.242.174 DST=204.197.242.141 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=9132 DF PROTO=TCP SPT=38044 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

    or more often I get something like this:

    Connections: 54
    Blocked: Temporary Block

    tcp: 110.55.244.84:49608 -> 204.197.242.141:80 (ESTABLISHED)
    tcp: 110.55.244.84:49610 -> 204.197.242.141:80 (ESTABLISHED)
    ...

    ESTABLISHED ... CLOSE_WAIT ...


    I was wondering, is it normal/usual to get this so frequently? My website gets approx 20k unique visitors per day.
    Actually, is there anything I could do to prevent this? (guess not)

    Thanks
     
  2. Dan

    Dan Moderator

    Hello jeja7676,

    Are you sure these emails are coming from KH or are they actually coming from your VPS?

    These look like firewall emails that are being sent to you to notify you of blocks to me.
     
  3. NEO

    NEO New Member

    Looking at the message, it looks like its coming from CSF (ConfigServer Security & Firewall) installed on your VPS/Dedi.

    While I absolutely recommend CSF, SYNFLOOD detection is mostly flawed. I have seen too many false positive (or rather incorrect) detection from CSF. You need to check the logs and IPs to make sure it is what it said it is.
     
  4. jeja7676

    jeja7676 Member

    When I said the e-mails were from KH they were actually from my VPS. (which is also owned by KH I guess :) )
    To be more specific, this morning I got two e-mails, like this one:

    from : [email protected]
    subject: lfd on host.myprimarydomain.com: 75.144.252.73 (US/United States/mail.pdc-racing.net) blocked with too many connections

    Time: Thu Mar 10 17:29:11 2011 -0500
    IP: 208.114.139.53 (CA/Canada/xplr-ts-w10-208-114-139-53.barrettxplore.com)
    Connections: 81
    Blocked: Temporary Block

    Connections:
    tcp: 208.114.139.53:51088 -> myprimarydomainip:80 (FIN_WAIT1)
    etc ...
    tcp: 208.114.139.53:50098 -> myprimarydomainip:80 (FIN_WAIT1)
    tcp: 208.114.139.53:56503 -> myprimarydomainip:80 (ESTABLISHED)
    etc ...


    What I have also noticed is that I get the similar e-mail when I check my domain from free online tools like http://tools.pingdom.com. So, maybe these are not DOS, maybe someone is accessing my website from some online proxy?
    Anyone has similar experiences?
     
  5. Tiger33

    Tiger33 New Member

    I use pingdom and i get the same thing mate

    false positive

    (when pingdom does the domain uptime checks from multiple addresses i think this is what is triggering the messages - at least it is in my case)
     

Share This Page