# syn flood question



## benpptung (Oct 15, 2011)

I don't know if this is an attack or something else. My servers have encountered SYN flood for couple weeks, like followings:


```
+TCP: [46.105.180.237]:17202 to [60.250.122.41]:80; syncache_timer: Retransmits exhausted, giving up and removing syncache entry
+TCP: [46.105.180.237]:9827 to [60.250.122.41]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
+TCP: [46.105.180.237]:32146 to [60.250.122.41]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
+TCP: [46.105.180.237]:11845 to [60.250.122.41]:80; syncache_timer: Response timeout, retransmitting (2) SYN|ACK
+TCP: [46.105.180.237]:53448 to [60.250.122.41]:80; syncache_timer: Response timeout, retransmitting (3) SYN|ACK
+TCP: [46.105.180.237]:15907 to [60.250.122.41]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
+TCP: [46.105.180.237]:9827 to [60.250.122.41]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
+TCP: [46.105.180.237]:12469 to [60.250.122.41]:80; syncache_timer: Response timeout, retransmitting (1) SYN|ACK
+TCP: [46.105.180.237]:48155 to [60.250.122.41]:80; syncache_timer: Retransmits exhausted, giving up and removing syncache entry
+TCP: [46.105.180.237]:15907 to [60.250.122.41]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
```

I've blocked the IP in firewall, but it still keeps sending SYN packet till now.
For only one IP, I don't think it is an attack, but I am wondering if there is something else I should aware of or actions I should take, since I am a newbie in FreeBSD.

Thank you for any suggestion.


----------



## bbzz (Oct 15, 2011)

If I remember there are sysctl setting you can command to reduce noise like this. 
Such as:
net.inet.tcp.log_in_vain or net.inet.tcp.log_debug , both to 0.
Make sure you block everything you don't need and restrict access.


----------



## benpptung (Oct 16, 2011)

thanks..I've disabled both of them. This IP still keep sending SYN. It's weird to me, since it has spent couple of weeks. Don't know what it want.


----------



## SirDice (Oct 16, 2011)

You might want to send an abuse email to abuse@ovh.net. That's the address you find if you do a whois(1) on the IP address. It's some company in London that owns the IP range (OVH is their ISP). One of their servers may be broken or infected.

Don't expect a reply and don't send any attachments. Just state a few facts and some of that logging you've posted here. It might just stop happening one day.


----------



## benpptung (Oct 17, 2011)

Thanks. I've reported to this email address. I can see it still keep sending SVN in ipfw now. Don't know when will it stop. Guess it is broken. I am lucky to use FreeBSD, so I don't need to worry too much.


----------

