On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> it is my understanding that SYN_SENT is when MY SIDE sends out a request and
> is awaiting a reply?
That's right.
> One of the jails we run for a customer had hundreds (if not thousands) of
> attempts to connect from the 147. address you see below. It was exhausting
> resources so that new tcp connections could not be made until some closed.
You have/had your jail opening connections to the webserver at IP
147.237.76.155, not that IP trying to connect to you.
> I added that address to a "pf" block statement to stop it but now we get a
> rolling connections in a "netstat -a" as show below (host. being a generic
> name used in place of actual host on our side). I am wondering if this
> shows something on our side trying to connect out? That is what it appears
> to me to be, which does not make sense.
>
>
> tcp4 0 0 host.52562 147.237.76.155.http SYN_SENT
> tcp4 0 0 host.52561 147.237.76.155.http SYN_SENT
Yes, your side is trying to connect out.
Unless you know better, it seems reasonable to gather that it's doing a DoS
attack against:
% whois 147.237.76.155
[ ... ]
inetnum: 147.237.0.0 - 147.237.255.255
netname: IL-GOVT-NET
descr: Israeli Government Network
country: IL
admin-c: AT979-RIPE
tech-c: TT441-RIPE
status: ASSIGNED PI
mnt-by: GOV-IL-DNS
mnt-lower: GOV-IL-DNS
mnt-routes: AS8867-MNT { ANY }
mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 }
source: RIPE # Filtered
person: Admin Tehila
address: Israel Ministry Of Finance
address: 1 Netanel Lorech st
address: Jerusalem Israel
phone: +972 2 6664666
fax-no: +972 2 6664650
remarks: For ABUSE and security issues please contact
remarks: email: [email protected]
remarks: or contact CERT.gov.il at [email protected]
nic-hdl: AT979-RIPE
source: RIPE # Filtered
Regards,
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
