Attack by SYN_RCVD

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Attack by SYN_RCVD

Post by jimimaseye » 2019-05-07 22:14

Over the last 2 or 3 nights my overnight backup routine has been screwed.

Symptoms:

a, the PAUSE or stop function in hmailserver doesnt work (gui 'freezes' or the ComAPI command oApp.stop command freezes)
b, trying to issue a STOP to the windows service also fails to complete.

Code: Select all

C:\Users\Administrator>net stop hmailserver
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.
Its been driving me mad. After years of (more or less) trouble free operation I have now started having this issue which is a real show stopper to automated overnight functions.

But then tonight, whilst using TCPVIEW, I noticed that as soon as Hmailserver service is started I have a load of SYN_RCVD appear almost immediately from the same range of IP addresses (91.203.101.xxx and 91.203.103.xxx) on to port 587. And they seemingly stayed around at SYN_RCVD state and steadily increased in quantity (see attached screenshot).

Putting autoban range in to cover the addresses didnt make any difference. And even enabling TCP logging and event.log writing of oClient.ipaddress didnt actually record anything out to the the logs. Very weird.

However, as soon as I put the range in to windows firewall (inbound port) to block those addresses in they immediately disappeared (as you would expect) and normal service resumed (gui PAUSE was responsive and net stop / net start worked as it should).
Untitled.png

Does anyone know:

a, who these address belong to? Some of them resolved to 'askalo .info', and all are located in Germany.
b, Why do they sit at SYN_RCVD and not move to any other state?
c, Why, at that state, are they seriously screwing around with the performance of the hmailserver service (inability to pause or stop completely) ?
d, WHY ME?! Is anyone else having similar?
e, Why doesnt the connection reach Hmailserver and show as a connection in logging (or hit its autoban range) despite being port 587 and showing as connected (at SYN_RCVD state) to the hmailserver.exe process?


@pailnka: you have similar issues with your serviuce not stopping cleanly. You chould sheck your system at these times too

@Dravion: come on big man, give me the answers. :-)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 1277
Joined: 2017-09-12 17:57

Re: Attack by SYN_RCVD

Post by palinka » 2019-05-07 22:58

I downloaded TCPView and can confirm exactly the same thing - same IPs, same SYN_RCVD.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Attack by SYN_RCVD

Post by SorenR » 2019-05-07 23:31

Yalwa GmbH
Bahnstraße 2
65205 Wiesbaden
GERMANY
phone: +49 611 448875 0
fax:
e-mail: ripe (at) yalwa (dot) com

Nothing here, I don't share port 587 :wink:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Attack by SYN_RCVD

Post by jimimaseye » 2019-05-07 23:44

SorenR wrote:
2019-05-07 23:31
Yalwa GmbH
Bahnstraße 2
65205 Wiesbaden
GERMANY
phone: +49 611 448875 0
fax:
e-mail: ripe (at) yalwa (dot) com

Nothing here, I don't share port 587 :wink:
If only there was a friendly German helper here who could contact them in their own language and give them what for 😉
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Attack by SYN_RCVD

Post by SorenR » 2019-05-07 23:47

Image

Who did you piss off lately ?? :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Attack by SYN_RCVD

Post by jimimaseye » 2019-05-08 00:32

Jokes aside i would still like to address:


a, who these address belong to? Some of them resolved to 'askalo .info', and all are located in Germany.
b, Why do they sit at SYN_RCVD and not move to any other state?
c, Why, at that state, are they seriously screwing around with the performance of the hmailserver service (inability to pause or stop completely) ?

And

e, Why doesnt the connection reach Hmailserver and show as a connection in logging (or hit its autoban range) despite being port 587 and showing as connected (at SYN_RCVD state) to the hmailserver.exe process?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Attack by SYN_RCVD

Post by SorenR » 2019-05-08 00:49

jimimaseye wrote:
2019-05-08 00:32
Jokes aside i would still like to address:


a, who these address belong to? Some of them resolved to 'askalo .info', and all are located in Germany.
b, Why do they sit at SYN_RCVD and not move to any other state?
c, Why, at that state, are they seriously screwing around with the performance of the hmailserver service (inability to pause or stop completely) ?

And

e, Why doesnt the connection reach Hmailserver and show as a connection in logging (or hit its autoban range) despite being port 587 and showing as connected (at SYN_RCVD state) to the hmailserver.exe process?
There is a great possibility that the IP addresses are spoofed, usually in attacks they use IP address not in use. The spoofed IP send a SYN and your server tries to return ACK but with spoofed IP's they don't exist - so your server tries another 3-5 times just in case :roll: What you are seeing are "half open" connections. Not until an ACK is accepted will there be an actual connection.
So... Your server is busy fighting windmills and everyone else can just sit and watch.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1277
Joined: 2017-09-12 17:57

Re: Attack by SYN_RCVD

Post by palinka » 2019-05-08 01:03

I firewall blocked them. All gone.

User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Attack by SYN_RCVD

Post by Dravion » 2019-05-08 01:49

That looks like a SYN Flood Attack to me.
Its a verry old type of Attack and any decent Firewall Appliance and even the Linux Standard Firewall can dodge such packets easily.

I recommend to enable SYN-Flood, SYN-Cookie Attack defense Rules in your Firewall Appliance in front of hMailServer. Even block NULL TCP Packets
and Packet Delivery from non-routable fake ips and XMass Packets.

PS:
Thats not DDOS but its a DOS Attack. If it would be DDOS you couldnt block it by simply dropping a few IP's.

PS2:
If you want a good overall mitigation Service, you should checkout for example Cloudflare or Stackpath. Its affordable DOS and DDOS Mitigation
and you only get whitewashed Traffic to your Server.

palinka
Senior user
Senior user
Posts: 1277
Joined: 2017-09-12 17:57

Re: Attack by SYN_RCVD

Post by palinka » 2019-05-08 11:27

jimimaseye wrote:
2019-05-07 22:14

d, WHY ME?!
Indeed. Someone has something personal against hmailserver? It hasn't been enough to actually prevent receiving mail on 587, sooo... what's the point of the whole thing?

User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Attack by SYN_RCVD

Post by Dravion » 2019-05-08 13:35

In most cases its a Scriptkiddy trying out Systematically all pingable ip addresses.

If its stupid scriptkid, just block his ip and you are good to go.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Attack by SYN_RCVD

Post by jimimaseye » 2019-05-08 14:11

But...
c, Why, at that state, are they seriously screwing around with the performance of the hmailserver service (inability to pause or stop completely) ?

And

e, Why doesnt the connection reach Hmailserver and show as a connection in logging (or hit its autoban range) despite being port 587 and showing as connected (at SYN_RCVD state) to the hmailserver.exe process?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Attack by SYN_RCVD

Post by Dravion » 2019-05-08 16:21

Thats because of the Nature of a SYN Attack.

SYN Cookie is sent to the TCP/IP Stack of Windows, pretending the incomning Attackerwants to establish a connection but before the Connection can be established the Attacker disconnect.

If this hapoens in a Loop you have a SYN Attack, not visible to hMailServer (or any other Mailserver).

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Attack by SYN_RCVD

Post by jimimaseye » 2019-05-08 22:00

Code: Select all

Hmailserver service shutdown: Ok
Spamassassin service shutdown:Ok
Spam Assassin Def Update:     Ok
Spam Assassin Service startup:Ok
Hmailserver service startup:  Ok
Zip:                          Ok
Email Cleardown Script:       Ok

See attached log file below for details.

Backup Start: 08/05/2019 20:00:00.12 

HMS Server Start Time: 2019-05-07 20:47:18
HMS Daily Spam Reject count: 1
HMS Daily Viruses Removed count: 0

Pausing Hmailserver..... 

20:00:00.62 Stopping Hmailserver service...

The hMailServer service was stopped successfully.

Ok! 
20:00:01.24 Stopping Spamassassin service...

The spamassassin service was stopped successfully.

Ok!
Normal service has resumed. Such a relief.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Attack by SYN_RCVD

Post by SorenR » 2019-05-08 22:27

SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Attack by SYN_RCVD

Post by jimimaseye » 2019-05-09 23:15

Bugger.

Had to add more ip's to the firewall to protect from SYN_RCVD attack.

additional IPs:

128.199.36.85 and
174.138.106.64
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 1277
Joined: 2017-09-12 17:57

Re: Attack by SYN_RCVD

Post by palinka » 2019-05-10 13:24

jimimaseye wrote:
2019-05-09 23:15
Bugger.

Had to add more ip's to the firewall to protect from SYN_RCVD attack.

additional IPs:

128.199.36.85 and
174.138.106.64
Have a look at my changes to the backup procedure. I just updated things to make it verbose. I've tested it a couple of nights and it works.

So far as I've noticed, the only adverse affect from SYN_RCVD attacks is the service shutdown procedure. Otherwise, the attacks don't really interfere with normal operation. It doesn't make sense to play whack-a-mole with the firewall, which is why I made the backup script changes.

Is there a *simple* automated method to defend against these attacks? What I read about them is beyond my software/hardware capabilities.

User avatar
mattg
Moderator
Moderator
Posts: 20290
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Attack by SYN_RCVD

Post by mattg » 2019-05-10 15:05

jimimaseye wrote:
2019-05-09 23:15
Bugger.

Had to add more ip's to the firewall to protect from SYN_RCVD attack.

additional IPs:

128.199.36.85 and
174.138.106.64
I've got those two too
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Attack by SYN_RCVD

Post by RvdH » 2019-05-10 17:03

I see the same IP's (the above mentioned ones) only not SYN_RCVD connected to hmailserver.exe, but to "FileZilla Server.exe"
Weird stuff
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Attack by SYN_RCVD

Post by Dravion » 2019-05-10 17:45

Thats because any TCP or UDP Socket Program entering the LISTENING State after the threeway Handshake is a possible victim to DOS and DDOS.

It doesnt matter if the Server is called Filezilla FTP-Server, hMailServer, Apache2 HTTP-Server ect.

Thats why Server Software should be coded verry carefully, not run with max. User permissions and guarded by Firewalls to mitigate the usual attack traffic which hits us all everyday (but most Users are not aware of constant dangerous traffic).

For example: Only 1 malicious crafted TCP Packet, send to Filezilla Server can raise a Servercrash by Bufferoverflow, providing the Attack surface required for Tools like Metasploit to inject malicious Machine code Instruction which can lead to a complete overtake of the Complete Operatingsystemwith Administrator permissions.

Post Reply