使用 tcp6 协议的 ipv4 接口上无休止的 SYN_RECV 进入...syn flood 尝试?

tag-icon tag-icon ipv6 tcpdump
使用 tcp6 协议的 ipv4 接口上无休止的 SYN_RECV 进入...syn flood 尝试?

我已经将我托管的网站移至新机器,并正在等待旧机器上的所有流量消失,然后再将其关闭。主机是在 linode 上运行的 fedora 24。因此,我注意到,现在只有一个 IP 号码连续不断地访问该机器,我不知道我在看什么。在我的 linode 图表上,我在“tcp6”图表上看到稳定的流量 ping,因此我查看 netstat 并看到以下内容:

# netstat -nt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0    236  ..... <my SSH connection to the machine> ...   ESTABLISHED
tcp6       0      0 45.79.130.46:80         113.212.156.53:80       SYN_RECV

这些消息不断出现,但 apache 日志中没有任何日志,因此似乎有人试图在我的服务器上进行某种滥用,但我不明白其性质。

然后对 113 这个号码运行 tcpdump,我看到的是这样的:

tcpdump -nv  -tttt -i eth0 -s 65535 port 80  and \( src  113.212.156.53 or dst 113.212.156.53 \)
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2017-09-22 14:49:06.596326 IP (tos 0x0, ttl 53, id 171, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0x48e6 (correct), seq 2832531456, win 0, length 0
2017-09-22 14:49:06.596425 IP (tos 0x0, ttl 64, id 32829, offset 0, flags [DF], proto TCP (6), length 40)
    45.79.130.46.http > 113.212.156.53.http: Flags [.], cksum 0x4169 (correct), ack 1890582529, win 29200, length 0
2017-09-22 14:49:06.597206 IP (tos 0x0, ttl 53, id 200, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0x8afc (correct), seq 1723793408, win 0, length 0
2017-09-22 14:49:08.737416 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    45.79.130.46.http > 113.212.156.53.http: Flags [S.], cksum 0xbda5 (incorrect -> 0x29ac), seq 2451913564, ack 1890582529, win 29200, options [mss 1460], length 0
2017-09-22 14:49:20.592584 IP (tos 0x0, ttl 53, id 69, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0x986c (correct), seq 1498349568, win 0, length 0
2017-09-22 14:49:20.592689 IP (tos 0x0, ttl 64, id 36687, offset 0, flags [DF], proto TCP (6), length 40)
    45.79.130.46.http > 113.212.156.53.http: Flags [.], cksum 0x4169 (correct), ack 1, win 29200, length 0
2017-09-22 14:49:20.592722 IP (tos 0x0, ttl 53, id 80, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0x8e85 (correct), seq 1664483328, win 0, length 0
2017-09-22 14:49:35.705215 IP (tos 0x0, ttl 53, id 152, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0xddfc (correct), seq 331284480, win 0, length 0
2017-09-22 14:49:35.705303 IP (tos 0x0, ttl 64, id 37543, offset 0, flags [DF], proto TCP (6), length 40)
    45.79.130.46.http > 113.212.156.53.http: Flags [.], cksum 0x4169 (correct), ack 1, win 29200, length 0
2017-09-22 14:49:35.753541 IP (tos 0x0, ttl 53, id 56, offset 0, flags [none], proto TCP (6), length 40)
    113.212.156.53.http > 45.79.130.46.http: Flags [S], cksum 0x6838 (correct), seq 2307063808, win 0, length 0

我不知道这是否是某种攻击。(编辑:我认为这是一次 syn 洪水攻击)

编辑:新服务器实际上显示了更多此类信息。我已将 httpd 改为监听 0.0.0.0,这样 SYN_RECV 连接就转移到“tcp”而不是“tcp6”,并且正在尝试https://mithunkumr.wordpress.com/tag/syn-flood-attack/

相关内容