Date: Fri, 11 May 2012 15:08:22 -0700 From: Chuck Swiger <cswiger@mac.com> To: "Chad Leigh Shire.Net LLC" <chad@shire.net> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: question on SYN_SENT Message-ID: <4782C161-4B28-4276-9559-A54B711368F1@mac.com> In-Reply-To: <D8AF0C20-E2C0-44A4-89DF-B614F3DBBFF6@shire.net> References: <D8AF0C20-E2C0-44A4-89DF-B614F3DBBFF6@shire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote: > it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply? That's right. > One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147. address you see below. It was exhausting resources so that new tcp connections could not be made until some closed. You have/had your jail opening connections to the webserver at IP 147.237.76.155, not that IP trying to connect to you. > I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat -a" as show below (host. being a generic name used in place of actual host on our side). I am wondering if this shows something on our side trying to connect out? That is what it appears to me to be, which does not make sense. > > > tcp4 0 0 host.52562 147.237.76.155.http SYN_SENT > tcp4 0 0 host.52561 147.237.76.155.http SYN_SENT Yes, your side is trying to connect out. Unless you know better, it seems reasonable to gather that it's doing a DoS attack against: % whois 147.237.76.155 [ ... ] inetnum: 147.237.0.0 - 147.237.255.255 netname: IL-GOVT-NET descr: Israeli Government Network country: IL admin-c: AT979-RIPE tech-c: TT441-RIPE status: ASSIGNED PI mnt-by: GOV-IL-DNS mnt-lower: GOV-IL-DNS mnt-routes: AS8867-MNT { ANY } mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 } source: RIPE # Filtered person: Admin Tehila address: Israel Ministry Of Finance address: 1 Netanel Lorech st address: Jerusalem Israel phone: +972 2 6664666 fax-no: +972 2 6664650 remarks: For ABUSE and security issues please contact remarks: email: abuse@tehila.gov.il remarks: or contact CERT.gov.il at report@CERT.gov.il nic-hdl: AT979-RIPE source: RIPE # Filtered Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4782C161-4B28-4276-9559-A54B711368F1>