[ubuntu-uk] SYS flood and Port scan concern

Paul Morgan-Roach roachy at roachy.net
Thu Aug 12 21:31:59 BST 2010

----- Original message -----
> Hi all,
> Three days ago had a new internet connection installed and today have
> checked the logs on my router. I was a little concerned to find 4-5
> TCP/UDP port scans followed by 15-20 SYN floods occuring about every 20
> minutes for the past THREE days!
> With my admittedly limited knowledge of computer security I already know
> these are consistent with DOS attacks but why would anyone be trying to
> block my services?
> I also came home today to find my router had been knocked offline so had
> to re-start it to restore my internet connection.
> Should I be concerned or are these just random attacks that are being
> handled safely by my router? If not then how do I go about stopping
> these and monitoring my system for something a little more sinister. I
> have installed and monitored Wireshark for a while this evening but am
> not really sure what I am looking for.
> Any help/advise would be fantastic.
> Ade

Hi - if it's a SYN flood attack this involves sending your IP the first part of the three way hancshake packets faster than your router can deal with them by sending a SYN-ACK. It's not very likely that this is the case as it's a pretty inefficient attack method.

The first thing to state is that if you're checking logs and haven't done much of this before, it might just be "normal" internet traffic.  I watch my firewall logs quite aggressively and there is a constant pattern of port scans, password attempts on ssh and so on.  Most of these occur from IP addresses in Russia, China and South America, although there are a few domestic ones. The most likely explaination is that this is nothing out of the ordinary.

If the scans/attacks are coming from a single IP then run a whois check against the IP and email the abuse contact. Keep the email concise, polite and include logs.  You may not get a reply but it's the appropriate procedure for this kind of thing.

The next step is to configure your firewall to appropriately deal with this traffic.  If it's a linux box try to limit the traffic by setting up rules to drop the traffic, rather than deny. If the attacks are from China, for example, you can look up the Chinese subnets from the regional internet registration database (see http://blog.roachy.net/2010/06/02/regional-internet-registrations/) and deny all of those or just the subnets where the attack originates from... 

The best policy for this kind of thing is to set up explicit drop/deny rules and only permit in the event of necessity, but this is not often possible (when running webservers for example).

Also block all inbound ports that aren't necessary and outbound traffic where appropriate.  

Again, if the gateway device is a linux box this can help with diagnosis. You can write a capture for offline analysis using tcpdump:

#tcpdump -i wan-1 -s0 -w output.pcap

this capture file can then be dropped into wireshark and studied.  I you are looking to understand packet captures and network traffic a little better, i'd also recommend the book "Practical Packet Analysis" available through Amazon!

I hope this helps a little.....if you need any more information though, just ask :)


Sent from my Nokia N900
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20100812/56c5e58d/attachment.htm 

More information about the ubuntu-uk mailing list