Mysterious SYN flood attack

Hi

I have a problem with a site I administrate, first started 23rd December 07 and has occurred regularly since. I have no idea why it suddenly started at that time.

Our server is blocking my IP address which they say is due to SYN FLOOD ATTACK. I am only ever editing content via front or back end of a Joomla site using JCE Editor. On one occasion I was editing a post on VBulletin. It has never happened when I have been FTP, which is the first thing 1&1 assume to be the cause. They unblock my IP address anything between immediately and 3 days later and despite repeated requests have been unwilling or unable to whitelist my IP address.

Any clues?

I am very keen to learn but seriously not understanding anything too technical!

Thanks in advance.

(Thread split. The original thread you posted in was years old. Please just start a new thread for your questions.)

If your server thinks you're sending too many SYN packets at it, you might want to validate this fact. Install a packet sniffing program like Wireshark -- it's pretty straight forward to both install and operate -- and watch all the packets going through your computer.

I'm not sure how familiar you are with the TCP protocol, but in essence what happens is to establish a connection, you send a request SYN packet to the server, the server sends an acknowledging SYN+ACK packet back, and you send a finalizing ACK packet to the server -- the classic three-way handshake.

If you want to find a service on a machine that you can exploit, you can employ a technique called port-scanning. The simplest form of port scanning is just to send a request packet to thousands of different ports on the server looking for *something* to reply with a SYN+ACK, meaning there is a service on that port.

If you are rightfully being accused of SYN flooding, it is likely that some sort of crapware got onto your computer and is launching automated SYN scan attacks against your server. I've seen it happen with family member's computers. Crapware gets on your machine, then sniffs the connection looking for anything you connect to, then port-scans other machines in an effort to replicate itself (I guess).

When you run Wireshark on your PC, ensure you have no explicit connections with any server that might cause a lot of packet exchange -- ie, ensure you're not downloading a file or whatnot. If your connection is normal, you should see just a few packets coming and going from your computer. If crapware on your computer is launching an attack, you will see tons of SYN packets, all destined to the same server. Should be pretty simple to access. (A complication might be that the crapware only does scans in bursts -- if at first you see nothing, leave it running for a long time to be sure.)

Odds are pretty good that your server is not in error. They would've had to have registered thousands of unwarranted SYN packets before they decided to blacklist you -- impossible to happen by chance. Either you or someone on your network is most assuredly infected with something.