Another SYN flood attack?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Another SYN flood attack?

Post by ras07 » 2020-04-30 17:33

Back in Oct/Nov 2019 I (and apparently others) was getting hammered with SYN flood DOS attacks ( https://www.hmailserver.com/forum/viewtopic.php?t=34513 ; related thread https://www.hmailserver.com/forum/viewtopic.php?t=33965 ). The original symptom was that my nightly backup routine would hang when trying to briefly stop hMS. I wrote some scripts to detect/block the attacks, but they suddenly stopped in early November and never re-appeared. I monitored things for several months but quit when the attacks didn't re-appear.

Well, last night my backup hung again. I'm monitoring half-open connections again but haven't seen anything yet. Is anyone else seeing a re-emergence of this nuisance?

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Another SYN flood attack?

Post by palinka » 2020-04-30 19:15

Nothing yet.

User avatar
SorenR
Senior user
Senior user
Posts: 3818
Joined: 2006-08-21 15:38
Location: Denmark

Re: Another SYN flood attack?

Post by SorenR » 2020-05-11 13:13

https://www.spamhaustech.com/custom-con ... te-LR1.pdf

Oh and by the way... Spamhaus did a major rewamp of their webpage :wink:

OOOOOOOHH.... :shock:

https://www.spamhaustech.com/threat-map/
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Another SYN flood attack?

Post by palinka » 2020-05-11 15:24

Interesting that Russia is not even on the Spamhaus list and China is a lot further down my list than theirs.

Spamhaus Top 10 Bot List by Country
1 India 1,855,386
2 China 1,555,824
3 Egypt 910,737
4 Viet Nam 900,007
5 Iran (Islamic Republic of) 816,115
6 Brazil 750,503
7 Thailand 549,574
8 Algeria 437,817
9 Indonesia 423,720
10 Turkey 408,022

Palinka Top 10 Ban List by Country (Firewall Banned for any reason - mostly bots)
1 Vietnam 4,893
2 United States 3,578
3 Russia 2,583
4 Brazil 2,380
5 Egypt 1,145
6 Thailand 1,011
7 China 848
8 France 831
9 India 774
10 Indonesia 617

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Another SYN flood attack?

Post by palinka » 2020-05-11 16:05

I found an active botnet in my neighborhood. ITS NOT ME - I PROMISE!!! :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 3818
Joined: 2006-08-21 15:38
Location: Denmark

Re: Another SYN flood attack?

Post by SorenR » 2020-05-11 16:34

palinka wrote:
2020-05-11 15:24
Interesting that Russia is not even on the Spamhaus list and China is a lot further down my list than theirs.

Spamhaus Top 10 Bot List by Country
1 India 1,855,386
2 China 1,555,824
3 Egypt 910,737
4 Viet Nam 900,007
5 Iran (Islamic Republic of) 816,115
6 Brazil 750,503
7 Thailand 549,574
8 Algeria 437,817
9 Indonesia 423,720
10 Turkey 408,022

Palinka Top 10 Ban List by Country (Firewall Banned for any reason - mostly bots)
1 Vietnam 4,893
2 United States 3,578
3 Russia 2,583
4 Brazil 2,380
5 Egypt 1,145
6 Thailand 1,011
7 China 848
8 France 831
9 India 774
10 Indonesia 617
So you did not read the pdf?

The world’s worst spam support ISPs – number of known spam issues : #2 google.com United States
Geolocation of botnet C&Cs in Q1 2020 : #1 United States
Most abused domain registrars, Q1 2020 : #1 namecheap United States <== Been there, done that, still fighting .ICU domains.
Internet Service Providers (ISPs) hosting botnet C&Cs, Q1 2020 : #1 cloudflare.com United States

So, what was it you were saying about the botnet you found? I smell a RAT :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Another SYN flood attack?

Post by palinka » 2020-05-11 20:40

SorenR wrote:
2020-05-11 16:34
So you did not read the pdf?
Nope, but I just read it. Found something interesting and I can concur:
Most abused top-level domains, Q1 2020

.com: Throughout 2019, we reported that the vast majority of botnet C&C domains were registered in the generic top-level-domain (gTLD) .com. This trend continued in Q1 2020 with .com accounting for approximately 45% of the top-level botnet C&C domains.
I noticed a pattern of spammers where there is a VALID hostname and VALID PTR. The hostnames are kooky sounding things like "unrefracted.com". They send spam from multiple IPs, all with valid PTRs using subdomains, eg. after.unrefracted.com, go.unrefracted.com, etc. They set up and blast out spam for a few days before getting picked up by Spamhaus. I set up a thing I called "catchspam" (yeah, its lame - I'm not creative in that way) where every message with spamassassin score over the delete threshold gets the domain recorded and then counted on subsequent spams. When I get 3 hits from the main domain, future spams get rejected based on the main domain. That means all the subdomains get rejected along with the main domain. This has worked out pretty well for me since putting it in effect.

By the way, I worked out parsing the public_suffix_list (sort of) - see here.

Post Reply