Chad Leigh Shire.Net LLC | 11 May 23:09 2012
Picon

question on SYN_SENT


it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply?

One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147.
address you see below.   It was exhausting resources so that new tcp connections could not be made until some closed.

I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat -a"
as show below (host. being a generic name used in place of actual host on our side).   I am wondering if this
shows something on our side trying to connect out?  That is what it appears to me to be, which does not  make sense.

tcp4       0      0 host.52562         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52561         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52560         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52559         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52558         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52557         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52556         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52555         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52554         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52553         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52552         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52551         147.237.76.155.http    SYN_SENT
tcp4       0      0 host.52550         147.237.76.155.http    SYN_SENT

thanks
Chad

_______________________________________________
freebsd-questions <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
(Continue reading)

Chuck Swiger | 12 May 00:08 2012
Picon

Re: question on SYN_SENT

On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply?

That's right.

> One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147.
address you see below.   It was exhausting resources so that new tcp connections could not be made until some closed.

You have/had your jail opening connections to the webserver at IP 147.237.76.155, not that IP trying to
connect to you.

> I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat
-a" as show below (host. being a generic name used in place of actual host on our side).   I am wondering if this
shows something on our side trying to connect out?  That is what it appears to me to be, which does not make sense.
> 
> 
> tcp4       0      0 host.52562         147.237.76.155.http    SYN_SENT
> tcp4       0      0 host.52561         147.237.76.155.http    SYN_SENT

Yes, your side is trying to connect out.
Unless you know better, it seems reasonable to gather that it's doing a DoS attack against:

% whois 147.237.76.155
[ ... ]
inetnum:      147.237.0.0 - 147.237.255.255
netname:      IL-GOVT-NET
descr:        Israeli Government Network
country:      IL
admin-c:      AT979-RIPE
tech-c:       TT441-RIPE
(Continue reading)

Chad Leigh Shire.Net LLC | 12 May 00:15 2012
Picon

Re: question on SYN_SENT


On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:

> On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
>> it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply?
> 
> That's right.
> 
>> One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147.
address you see below.   It was exhausting resources so that new tcp connections could not be made until some closed.
> 
> You have/had your jail opening connections to the webserver at IP 147.237.76.155, not that IP trying to
connect to you.
> 
>> I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat
-a" as show below (host. being a generic name used in place of actual host on our side).   I am wondering if this
shows something on our side trying to connect out?  That is what it appears to me to be, which does not make sense.
>> 
>> 
>> tcp4       0      0 host.52562         147.237.76.155.http    SYN_SENT
>> tcp4       0      0 host.52561         147.237.76.155.http    SYN_SENT
> 
> Yes, your side is trying to connect out.
> Unless you know better, it seems reasonable to gather that it's doing a DoS attack against:

Hi Chuck!

Thanks.  I am investigating as this side should not be going out at all, but the SYN_SENT made me think it was.

Thanks
(Continue reading)

Robert Bonomi | 12 May 02:06 2012

Re: question on SYN_SENT

> From owner-freebsd-questions <at> freebsd.org  Fri May 11 17:19:29 2012
> From: "Chad Leigh Shire.Net LLC" <chad <at> shire.net>
> Date: Fri, 11 May 2012 16:15:48 -0600
> To: Chuck Swiger <cswiger <at> mac.com>
> Cc: FreeBSD Mailing List <freebsd-questions <at> freebsd.org>
> Subject: Re: question on SYN_SENT
>
>
> On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
>
> > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> >> it is my understanding that SYN_SENT is when MY SIDE sends out a reques
> >> t and is awaiting a reply?
> > 
> > That's right.
> > 
> >> One of the jails we run for a customer had hundreds (if not thousands) o
> >> f attempts to connect from the 147. address you see below. 

Correction.  As Chuck pointed out it is your box attempting to connect *TO*
that address.

> >>                                                              It was exha
> >> usting resources so that new tcp connections could not be made until som
> >> e closed.
> > 
> > You have/had your jail opening connections to the webserver at IP 147.237
> > .76.155, not that IP trying to connect to you.
> > 
> >> I added that address to a "pf" block statement to stop it but now we get
(Continue reading)

Chad Leigh Shire.Net LLC | 4 Jun 18:38 2012
Picon

Re: question on SYN_SENT


On May 11, 2012, at 6:06 PM, Robert Bonomi wrote:
> 
> 'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
> to "go out".
> 
> There are at least a couple of possible explanations, none of them "good".
>  1) the jail is attempting a DoS (or participating in  DDoS) against an
>     Israeli _government_ network/machine.
>  2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
>     instructions.

Sorry for the delay in response.  Did not mean to ignore this.  Was busy figuring out and correcting this (and
then the other normal day to day stuff that comes up).

Yes, it looks like a customer's JBOSS installation had been hacked.  It was running in its own jail with RO
mounting of /usr (except /usr/local) and /bin /sbin and other system directories.  It was basically
scanning for more open JBOSS stuff.  The attack had just barely happened (the server had just been
installed).  I disabled the JBOSS and cleaned everything up and scanned the jail for problem files etc. 
Customer fixed the JBOSS vulnerability (well known one) and decided to leave it off for now.

Thanks for all the help on this

Chad

--

_______________________________________________
freebsd-questions <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
(Continue reading)


Gmane