Jason - Thanks for the reply.
The attack seems to have subsided this morning. The 'foreign address' for all of the SYN_RECV listings in netstat were unique (I captured a list of them if it would help). If they had been somehow spoofed, any ideas how I would be able to figure out where they were coming from? Thanks again for your help. amd --- Jason 'XenoPhage' Frisvold <[EMAIL PROTECTED]> wrote: > Sounds like a SYN Attack... Are all of these > connections sourced from > the same location? Can you access your router to > determine where the > traffic is coming from? > > On Thu, 2003-12-18 at 01:00, andy drexler wrote: > > Bill - > > > > Thanks for the reply. > > > > I followed your advice below and it doesn't seem > to > > have made a difference. > > > > I did a > > > > netstat -n -p TCP > > > > and it shows a couple of hundred active > connections, > > with 130 or so being the SYN_RECV state. Could > this be > > some sort of DOS attack? > > > > Thanks again for your help. > > > > amd > > > > > > > > --- Bill Shupp <[EMAIL PROTECTED]> wrote: > > > andy drexler wrote: > > > > I searched the mail archive and found out why > the > > > log > > > > file was empty. I added the -v to the > smtpd/run > > > script > > > > and the log is now growing. On the server, > there > > > are a > > > > bunch of running smtpd processes: > > > > > > > > 21728 ? S 0:00 > > > /var/qmail/bin/qmail-smtpd > > > > mail2.smartsite.net /home/vpopmail/bin/vchkpw > > > > /bin/true > > > > > > > > there are about 20 of these processes. the > > > > var/log/qmail/smtpd/current file loks like: > > > > > > > > @400000003fe135d52844b54c tcpserver: pid 22727 > > > from > > > > 66.218.86.99 > > > > @400000003fe135d5284a5e84 tcpserver: ok 22727 > > > > 0:64.186.170.70:25 :66.218.86.99::41417 > > > > @400000003fe135d534ca88b4 tcpserver: end 22727 > > > status > > > > 0 > > > > @400000003fe135d534caafc4 tcpserver: status: > 19/20 > > > > @400000003fe135d534ccc304 tcpserver: status: > 20/20 > > > > @400000003fe135d534da4024 tcpserver: pid 22729 > > > from > > > > 131.202.3.20 > > > > @400000003fe135d534de85e4 tcpserver: ok 22729 > > > > 0:64.186.170.70:25 :131.202.3.20::33911 > > > > > > > > a small number of messages to seem to be > getting > > > out, > > > > but basically none of my users can send. > > > > > > Looks like your concurrency is maxed. Try > > > increasing your > > > /var/qmail/control/concurrencyincoming to 50 and > > > restart qmail-smtpd. > > > > > > Regards, > > > > > > Bill > > > > > > > __________________________________ > > Do you Yahoo!? > > New Yahoo! Photos - easier uploading and sharing. > > http://photos.yahoo.com/ > -- > --------------------------- > Jason 'XenoPhage' Frisvold > Engine / Technology Programmer > [EMAIL PROTECTED] > RedHat Certified - RHCE # 807302349405893 > MySQL Core Certified - ID# 205982910 > --------------------------- > "Something mysterious is formed, born in the silent > void. Waiting alone > and unmoving, it is at once still and yet in > constant motion. It is the > source of all programs. I do not know its name, so I > will call it the > Tao of Programming." > > ATTACHMENT part 2 application/pgp-signature name=signature.asc __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
