SYN trickle

24.02.2011 16:34

Back on Monday I started getting possible SYN flooding on port 25. Sending cookies. warnings in the kernel log of my server. Investigating with tcpdump I got the following trace:

03:49:48.313336 IP 203.81.64.yyy.9204 > 193.95.199.xxx.25: S 846930886:846930886(0) win 61690 <mss 1460,nop,nop,sackOK>
03:49:48.313493 IP 193.95.199.xxx.25 > 203.81.64.yyy.9204: S 1717881734:1717881734(0) ack 846930887 win 5808 <mss 1452,nop,nop,sackOK>
03:49:51.681833 IP 193.95.199.xxx.25 > 203.81.64.yyy.9204: S 1717881734:1717881734(0) ack 846930887 win 5808 <mss 1452,nop,nop,sackOK>
03:49:58.081830 IP 193.95.199.xxx.25 > 203.81.64.yyy.9204: S 1717881734:1717881734(0) ack 846930887 win 5808 <mss 1452,nop,nop,sackOK>
03:50:10.881785 IP 193.95.199.xxx.25 > 203.81.64.yyy.9204: S 1717881734:1717881734(0) ack 846930887 win 5808 <mss 1452,nop,nop,sackOK>

I counted 28 different IP addresses from the 203.81.64.0 network ("Myanma Post and Telecommunication" according to whois) sending TCP SYN packets to my port 25, but not answering to repeated SYN ACKs my machine is sending back. After what looks like a timeout the remote host will try again with a new SYN. When I started monitoring the rate was well below anything serious at a few packets per minute.

What could be causing such traffic? It looks to me like SYN ACKs from my server are dropped somewhere along the line. Perhaps spam bots on compromised machines and a failed attempt at SMTP filtering that drops in-bound packets instead of out-bound?

Posted by Tomaž | Categories: Code

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)