Why is Ubuntu sending out SYN Flood?

T

tarasui2014-02-14 14:34:09

DDoS Protection

tarasui, 2014-02-14 14:34:09

After a ddos attack (although I think this is unrelated), the server became a bot machine itself.
I can not understand what process sends out?
And how did they get infected?

[email protected] /var/log # netstat -nt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    216 46.4.106.34:22          89.169.3.12:60011       ESTABLISHED

shows nothing except my SSH connection to a dedicated server (Hetzner)
where service sendmail, postfix, nginx, php-fpm, mysql, squid, vsftpd, webmin stop are disabled,
but the flood goes at 40 requests per second, while 8 core does not load.

[email protected] /var/log # tcpdump -i eth0 -vv
11:17:53.207382 IP (tos 0x0, ttl 236, id 65259, offset 0, flags [none], proto TCP (6), length 40)
    5-23-77-128.emax.is.http > azmsk.com.19145: Flags [R], cksum 0xa590 (correct), seq 1183, win 8192, length 0
11:17:53.207395 IP (tos 0x0, ttl 236, id 65259, offset 0, flags [none], proto TCP (6), length 40)
    5-23-77-128.emax.is.http > azmsk.com.64057: Flags [R], cksum 0x497a (correct), seq 1183, win 8192, length 0
11:17:53.217007 IP (tos 0x0, ttl 236, id 65259, offset 0, flags [none], proto TCP (6), length 40)
    5-23-77-128.emax.is.http > azmsk.com.59902: Flags [R], cksum 0xc129 (correct), seq 1183, win 8192, length 0
11:17:53.225771 IP (tos 0x0, ttl 236, id 65259, offset 0, flags [none], proto TCP (6), length 40)
    5-23-77-128.emax.is.http > azmsk.com.57444: Flags [R], cksum 0xc19a (correct), seq 1183, win 8192, length 0
11:17:53.229453 IP (tos 0x0, ttl 236, id 65259, offset 0, flags [none], proto TCP (6), length 40)
    5-23-77-128.emax.is.http > azmsk.com.9910: Flags [R], cksum 0x1bb5 (correct), seq 1183, win 8192, length 0

Tell me which process to cut down?

[email protected] /var/log # ps aux
...
root       497  0.0  0.0  17896  1392 ?        S    04:56   0:00 upstart-udev-bridge --daemon
root       501  0.0  0.0      0     0 ?        S<   04:56   0:00 [kworker/4:1H]
root       502  0.0  0.0  21864  1644 ?        Ss   04:56   0:00 /sbin/udevd --daemon
root       515  0.0  0.0      0     0 ?        S    04:56   0:00 [kjournald]
root       516  0.0  0.0      0     0 ?        S<   04:56   0:00 [kworker/1:1H]
root       535  0.0  0.0  50040  2928 ?        Ss   04:56   0:00 /usr/sbin/sshd -D
root       540  0.0  0.0      0     0 ?        S<   04:56   0:00 [kworker/2:1H]
root       714  0.0  0.0  21860  1184 ?        S    04:56   0:00 /sbin/udevd --daemon
root       716  0.0  0.0  21860  1220 ?        S    04:56   0:00 /sbin/udevd --daemon
root       756  0.0  0.0      0     0 ?        S<   04:56   0:00 [edac-poller]
102        766  0.0  0.0  23824   696 ?        Ss   04:56   0:00 dbus-daemon --system --fork --activation=upstart
root       769  0.0  0.0      0     0 ?        S<   04:56   0:00 [hd-audio0]
syslog     774  0.0  0.0 249480  1484 ?        Sl   04:56   0:01 rsyslogd -c5
root       782  0.0  0.0      0     0 ?        S<   04:56   0:00 [kvm-irqfd-clean]
root       805  0.0  0.0  15196   388 ?        S    04:56   0:00 upstart-socket-bridge --daemon
root      1001  0.0  0.0  15792   976 tty4     Ss+  04:56   0:00 /sbin/getty -8 38400 tty4
root      1020  0.0  0.0  15792   972 tty5     Ss+  04:56   0:00 /sbin/getty -8 38400 tty5
root      1076  0.0  0.0  15792   968 tty2     Ss+  04:56   0:00 /sbin/getty -8 38400 tty2
root      1077  0.0  0.0  15792   972 tty3     Ss+  04:56   0:00 /sbin/getty -8 38400 tty3
root      1080  0.0  0.0  15792   972 tty6     Ss+  04:56   0:00 /sbin/getty -8 38400 tty6
root      1085  0.0  0.0   4336   688 ?        Ss   04:56   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1193  0.0  0.0  19120  1040 ?        Ss   04:56   0:00 cron
root      1196  0.0  0.0  15988   696 ?        Ss   04:56   0:03 /usr/sbin/irqbalance
root      1232  0.0  0.0      0     0 ?        S<   04:56   0:00 [kworker/3:1H]
root      1536  0.0  0.0  13376   724 ?        Ss   04:56   0:00 /sbin/mdadm --monitor --pid-file /var/run/mdadm/monitor.pid
root      1582  0.0  0.0  15792   976 tty1     Ss+  04:56   0:00 /sbin/getty -8 38400 tty1
ntp       2980  0.0  0.0  37784  2248 ?        Ss   04:56   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 104:110
daemon   12619  0.0  0.0  16916   376 ?        Ss   09:22   0:00 atd
root     12816  0.0  0.0  73600  3816 ?        Ss   09:44   0:01 sshd: [email protected]/0
root     12832  0.0  0.0  23016  4348 pts/0    Ss   09:44   0:00 -bash
root     13627  0.4  0.0  72228  3636 ?        Ss   12:33   0:00 sshd: root [priv]
sshd     13628  0.0  0.0  51472  1444 ?        S    12:33   0:00 sshd: root [net]
root     13629  0.0  0.0      0     0 ?        S    12:33   0:00 [flush-9:2]
root     13630  0.0  0.0  18164  1268 pts/0    R+   12:33   0:00 ps aux

Thanks

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

throughtheether, 2014-02-14
@tarasui

Do I understand correctly that azmsk.com is your server? In this case, the dump only shows that the host with the address 5.23.77.128 (5-23-77-128.emax.is) is sending you RST segments. Judging by the various destination ports, these are responses to SYN segments encapsulated in IP packets with the address of your server. I guess there is a SYN-flood with the substitution of the source address. In favor of this version, as far as I understand, the constant value of the seq field of the tcp header also speaks. I don't see any evidence in your dump that your server is involved in a SYN flood attack.
For the future, please use the "-nn" option of tcpdump, it's much easier to read the dumps. Better yet, collect traffic samples in a separate .pcap file.