<span id="mailbox-conversation">Which tool did you use to get this output, perhaps it is not an attack or do you have any kind of log to complement the output?</span><div class="mailbox_signature">—<br>Sent from My mobile device<br></div>
<br><br><div class="gmail_quote"><p>On Tue, Aug 5, 2014 at 8:01 PM, Paul Stewart <span dir="ltr"><<a href="mailto:pstewart@nexicomgroup.net" target="_blank">pstewart@nexicomgroup.net</a>></span> wrote:<br></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><p>Thanks for the input. This is new and just started today - it’s
<br>definitely an attack towards the server. We are seeing the exact same
<br>attacks now against other servers but all day until about an hour ago it
<br>was the CentOS mirror specifically (which may have just been dumb luck).
<br>If nobody else is seeing anything like this then that’s good news - the
<br>closest in the past that we have seen is Chinese IP addresses downloading
<br>the same ISO images over and over. This attack is seeing the source IP
<br>addresses worldwide (about 175 of them on average) indicating it’s botnet
<br>related likely.
<br><br>The attacks look like this:
<br><br>Type: TCP SYN Misuse
<br>ID: 198828
<br>Resource: xx.xxx.xx.2/32 Other
<br>Router: Not Applicable
<br>Interface: Not Applicable
<br>Severity: high
<br>Impact: 662.58 Mbps/93.27 Kpps
<br>Started: 2014-08-05 23:55:40
<br>Ended: 2014-08-06 00:02:41
<br>Link rate: 93.27 Kpps, 186.530000% of 50.00 Kpps
<br>Protocol: tcp
<br>Flags: S
<br>Router: xx.xx.xxx.59 (core1.xxxxxxxxx)
<br> Input If.: 694 (xe-4/2/0.101)
<br> Output If.: 604 (xe-2/3/0.0)
<br>URL: https://xxxxxxxxxxxxxxxxxxxxxxxxxxx
<br><br>Thanks,
<br><br>Paul
<br><br><br><br><br>On 2014-08-05, 7:24 PM, "Anssi Johansson" <centos@miuku.net> wrote:
<br><br>>6.8.2014 1.59, Paul Stewart kirjoitti:
<br>>> Hi there…
<br>>>
<br>>> Today, we started getting hit with DDOS attacks specifically against our
<br>>> CentOS mirror. Has anyone else seen this behavior before?
<br>>>
<br>>> These are TCP SYN and TCP RST misuse type attacks.
<br>>
<br>>I don't run a mirror myself, but please note that what you're seeing
<br>>might be simply yum-plugin-fastestmirror doing what's it's supposed to
<br>>do. yum-plugin-fastestmirror determines the closest mirror by opening a
<br>>TCP connection to each mirror and then closing the connection
<br>>immediately. The time spent is measured, and the fastest mirror as
<br>>determined by this process gets selected.
<br>>_______________________________________________
<br>>CentOS-mirror mailing list
<br>>CentOS-mirror@centos.org
<br>>http://lists.centos.org/mailman/listinfo/centos-mirror
<br><br>_______________________________________________<br>CentOS-mirror mailing list<br>CentOS-mirror@centos.org<br>http://lists.centos.org/mailman/listinfo/centos-mirror<br></p></blockquote></div><br>