Dos attacks, daily - is it normal frequency?

jeja7676

Member
Almost every day I get an e-mail from KH informing me that DOS or some other kind of attack happened on my primary domain.
I get messages with content like this:

Mar 10 09:14:42 host kernel: Firewall: *SYNFLOOD Blocked* IN=venet0 OUT= MAC= SRC=80.239.242.174 DST=204.197.242.141 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=9132 DF PROTO=TCP SPT=38044 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

or more often I get something like this:

Connections: 54
Blocked: Temporary Block

tcp: 110.55.244.84:49608 -> 204.197.242.141:80 (ESTABLISHED)
tcp: 110.55.244.84:49610 -> 204.197.242.141:80 (ESTABLISHED)
...

ESTABLISHED ... CLOSE_WAIT ...


I was wondering, is it normal/usual to get this so frequently? My website gets approx 20k unique visitors per day.
Actually, is there anything I could do to prevent this? (guess not)

Thanks
 
Hello jeja7676,

Are you sure these emails are coming from KH or are they actually coming from your VPS?

These look like firewall emails that are being sent to you to notify you of blocks to me.
 
Looking at the message, it looks like its coming from CSF (ConfigServer Security & Firewall) installed on your VPS/Dedi.

While I absolutely recommend CSF, SYNFLOOD detection is mostly flawed. I have seen too many false positive (or rather incorrect) detection from CSF. You need to check the logs and IPs to make sure it is what it said it is.
 
When I said the e-mails were from KH they were actually from my VPS. (which is also owned by KH I guess :) )
To be more specific, this morning I got two e-mails, like this one:

from : root@host.myprimarydomain.com
subject: lfd on host.myprimarydomain.com: 75.144.252.73 (US/United States/mail.pdc-racing.net) blocked with too many connections

Time: Thu Mar 10 17:29:11 2011 -0500
IP: 208.114.139.53 (CA/Canada/xplr-ts-w10-208-114-139-53.barrettxplore.com)
Connections: 81
Blocked: Temporary Block

Connections:
tcp: 208.114.139.53:51088 -> myprimarydomainip:80 (FIN_WAIT1)
etc ...
tcp: 208.114.139.53:50098 -> myprimarydomainip:80 (FIN_WAIT1)
tcp: 208.114.139.53:56503 -> myprimarydomainip:80 (ESTABLISHED)
etc ...


What I have also noticed is that I get the similar e-mail when I check my domain from free online tools like http://tools.pingdom.com. So, maybe these are not DOS, maybe someone is accessing my website from some online proxy?
Anyone has similar experiences?
 
I use pingdom and i get the same thing mate

false positive

(when pingdom does the domain uptime checks from multiple addresses i think this is what is triggering the messages - at least it is in my case)
 
Top