From owner-freebsd-questions@FreeBSD.ORG Fri May 11 22:15:52 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37CDD106566C for ; Fri, 11 May 2012 22:15:52 +0000 (UTC) (envelope-from chad@shire.net) Received: from mail.shire.net (mail.shire.net [199.102.78.250]) by mx1.freebsd.org (Postfix) with ESMTP id 121898FC12 for ; Fri, 11 May 2012 22:15:52 +0000 (UTC) Received: from c-76-27-96-201.hsd1.ut.comcast.net ([76.27.96.201] helo=[192.168.99.216]) by mail.shire.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77) (envelope-from ) id 1SSy7r-000E32-FH; Fri, 11 May 2012 16:15:51 -0600 Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: "Chad Leigh Shire.Net LLC" In-Reply-To: <4782C161-4B28-4276-9559-A54B711368F1@mac.com> Date: Fri, 11 May 2012 16:15:48 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <0A88B145-82C4-4167-AD13-829CCAC6298F@shire.net> References: <4782C161-4B28-4276-9559-A54B711368F1@mac.com> To: Chuck Swiger X-Mailer: Apple Mail (2.1257) X-SA-Exim-Connect-IP: 76.27.96.201 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on mail.shire.net); SAEximRunCond expanded to false Cc: FreeBSD Mailing List Subject: Re: question on SYN_SENT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2012 22:15:52 -0000 On May 11, 2012, at 4:08 PM, Chuck Swiger wrote: > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote: >> it is my understanding that SYN_SENT is when MY SIDE sends out a = request and is awaiting a reply? >=20 > That's right. >=20 >> One of the jails we run for a customer had hundreds (if not = thousands) of attempts to connect from the 147. address you see below. = It was exhausting resources so that new tcp connections could not be = made until some closed. >=20 > You have/had your jail opening connections to the webserver at IP = 147.237.76.155, not that IP trying to connect to you. >=20 >> I added that address to a "pf" block statement to stop it but now we = get a rolling connections in a "netstat -a" as show below (host. being a = generic name used in place of actual host on our side). I am wondering = if this shows something on our side trying to connect out? That is what = it appears to me to be, which does not make sense. >>=20 >>=20 >> tcp4 0 0 host.52562 147.237.76.155.http = SYN_SENT >> tcp4 0 0 host.52561 147.237.76.155.http = SYN_SENT >=20 > Yes, your side is trying to connect out. > Unless you know better, it seems reasonable to gather that it's doing = a DoS attack against: Hi Chuck! Thanks. I am investigating as this side should not be going out at all, = but the SYN_SENT made me think it was. Thanks Chad >=20 > % whois 147.237.76.155 > [ ... ] > inetnum: 147.237.0.0 - 147.237.255.255 > netname: IL-GOVT-NET > descr: Israeli Government Network > country: IL > admin-c: AT979-RIPE > tech-c: TT441-RIPE > status: ASSIGNED PI > mnt-by: GOV-IL-DNS > mnt-lower: GOV-IL-DNS > mnt-routes: AS8867-MNT { ANY } > mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 } > source: RIPE # Filtered >=20 > person: Admin Tehila > address: Israel Ministry Of Finance > address: 1 Netanel Lorech st > address: Jerusalem Israel > phone: +972 2 6664666 > fax-no: +972 2 6664650 > remarks: For ABUSE and security issues please contact > remarks: email: abuse@tehila.gov.il > remarks: or contact CERT.gov.il at report@CERT.gov.il > nic-hdl: AT979-RIPE > source: RIPE # Filtered >=20 > Regards, > --=20 > -Chuck >=20