question on SYN_SENT

Robert Bonomi bonomi at mail.r-bonomi.com
Sat May 12 00:05:08 UTC 2012 

> From owner-freebsd-questions at freebsd.org  Fri May 11 17:19:29 2012
> From: "Chad Leigh Shire.Net LLC" <chad at shire.net>
> Date: Fri, 11 May 2012 16:15:48 -0600
> To: Chuck Swiger <cswiger at mac.com>
> Cc: FreeBSD Mailing List <freebsd-questions at freebsd.org>
> Subject: Re: question on SYN_SENT
>
>
> On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
>
> > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> >> it is my understanding that SYN_SENT is when MY SIDE sends out a reques
> >> t and is awaiting a reply?
> > 
> > That's right.
> > 
> >> One of the jails we run for a customer had hundreds (if not thousands) o
> >> f attempts to connect from the 147. address you see below. 

Correction.  As Chuck pointed out it is your box attempting to connect *TO*
that address.

> >>                                                              It was exha
> >> usting resources so that new tcp connections could not be made until som
> >> e closed.
> > 
> > You have/had your jail opening connections to the webserver at IP 147.237
> > .76.155, not that IP trying to connect to you.
> > 
> >> I added that address to a "pf" block statement to stop it but now we get
> >>  a rolling connections in a "netstat -a" as show below (host. being a ge
> >> neric name used in place of actual host on our side).   I am wondering i
> >> f this shows something on our side trying to connect out?  That is what 
> >> it appears to me to be, which does not make sense.
> >> 
> >> 
> >> tcp4       0      0 host.52562         147.237.76.155.http    SYN_SENT
> >> tcp4       0      0 host.52561         147.237.76.155.http    SYN_SENT
> > 
> > Yes, your side is trying to connect out.
> > Unless you know better, it seems reasonable to gather that it's doing a D
> > oS attack against:
>
> Hi Chuck!
>
> Thanks.  I am investigating as this side should not be going out at all, bu
> t the SYN_SENT made me think it was.
>

'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
to "go out".

There are at least a couple of possible explanations, none of them "good".
  1) the jail is attempting a DoS (or participating in  DDoS) against an
     Israeli _government_ network/machine.
  2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
     instructions.

The webserver on the IP address listed has -extremely- 'suspicious' content,
to wit;
    html>
    body>
    script>
    document.cookie='fffffff=ee0333b9fffffff_ee0333b9; path=/';
    window.location.href=window.location.href;
    /script>
    /body>
    /html>

More information about the freebsd-questions mailing list