# Hacking/DoS attack.  What to do?

## Aggiemaster

I set up a gentoo server to host a small personal website.  I figured we wouldnt have any problems or anything since no one should be looking at the webpage except a few people.  Our internet connection has been going out lately, and I think I figured it out.  The router we are using was logging SYN Flood messages and LAN-Side Ping Flood Messages all originating from and going to the IP addres of my server.  I took the server down (disconnect it from the internet) and our internet works fine now.  All I need now is to figure out how to stop this from happening and make the server more secure so I can host the website again.  Of course I have no clue where to start, so I was hoping someone could lead me in the right direction.

Here is some info on the logs from the router:

```

LAN-side Ping Flood   19   THU MAY 12 17:14:05 2005    172.187.36.19:1284    192.168.0.13:6347 

SYN Flood   1   THU MAY 12 17:14:05 2005    192.168.0.13:6347    85.97.96.19:2518 

LAN-side Ping Flood   109   THU MAY 12 17:14:16 2005    64.230.0.111:1201    192.168.0.13:6347 

SYN Flood   1   THU MAY 12 17:14:16 2005    192.168.0.13:6347    24.205.131.166:45110 

LAN-side Ping Flood   10358   THU MAY 12 20:24:14 2005    84.58.9.155:1836    192.168.0.13:6347

```

The columns are Description, Count, Last Occurrence, Target, Source.

There are more entries but I figured this was sufficient.  Interesting thing is, the port they are using (6347).  I am not sure what is running on this port, but all the entries make reference to it.

Also, i went through the /var/log/messages file and found hundreds (maybe thousands, i didnt count) of logon attempts to ssh.  Looked like they were trying random usernames and passwords.  All of these were failed logons from what I could tell, but I am not sure.

So, I dont know where to start with this problem.  If anyone has suggestions, let me know, and if you need more information let me know.  I would be glad to tell you or look something up.

Thanks in advance!

----------

## groovin

if google for articles on defending against syn DoS attacks, there will be a ton of info out there. it might also be a good idea to contact your ISP and let them know youre getting DoS'ed if it happens again. They might be able to do something about it.

also, those ssh attempts are pretty common nowdays, just make sure you dnnt have a user with a password of user or anything dumb like that and keep ssh up to date.

----------

## Aggiemaster

Thanks for your reply.  I have been reading some stuff the last couple days and it seems that there is not a real failsafe way to stop this kind of attack.  I will keep searching though. 

Do you know of any good network analyzers I could install.  One site mentioned tcpdump as a good packet logging tool.  I don't think that I have anyway of analyzing the traffic until I have something like this.  Any suggestions?

----------

## Chaosite

Research syncookies.

Look at snort + base, and also ethereal.

----------

## echto

Use ifconfig to change the mac address of your nic and query for a new IP address (dhcp) from your provider, change domains (extremely cheap nowadays), update the dns, and make sure you reject Google's robot so your webserver doesn't get indexed with the search engine.

Sure, that may be overkill but if theres a smartass out there doesn't like you and knows your domain you may be in for some headaches.

----------

## groovin

yeah, no real failsafe way of stopping it. usually big companies have servers on multiple ISPs and can play with their DNS when they get attacked. 

tcpdump is great, but if youre getting flooded, than it's output might not be so friendly. I use it on low traffic networks. i know it has tons of options, but i havent checked them all out yet. as already mentioned, ethereal is great, and snort is a good lightweight IDS.

----------

## NeddySeagoon

Aggiemaster,

Theres not a lot you can do about DOS attacks. You can stop them bringing your server down. Look at syncookies in the kernel config. Do a whois in the IP of the attacker. If you maintaing your time with ntp, an email with a log fragment to the attackers ISPs is worth considering. The time is important because the IP addresses may be dynamic.

The attackers may be zombie boxes but the host ISPs won't be happy and may take action.

You cannot stop DOS from soaking up your bandwidth, all you can do is make your server tolerant.

----------

