[HN Gopher] Ask HN: Why is my web server being attacked?
___________________________________________________________________
Ask HN: Why is my web server being attacked?
I run a small Web server. It's a vanity project, very low traffic -
less than 50 pages served per day. Strictly HTML - no CGI, no PHP,
nothing. For the past couple of weeks the server has been the
target of a SYN Flood attack. Also very low volume - 100-150 SYN
packets (with forged IP addresses) received per hour. I have all
the usual mitigations in place and the attack is not affecting the
server. However, I am curious why it's being attacked. I have not
received any "ransom" email, the server does not host anything that
is even mildly controversial and the forged IP addresses are always
different and from all over the world so I'm not being used to
flood some other server. Can anyone suggest a purpose for this
attack?
Author : litoE
Score : 20 points
Date : 2023-12-27 18:54 UTC (4 hours ago)
| nullindividual wrote:
| It's on the Internet. That's the only reason.
| slater wrote:
| Testing your defenses?
| runningmike wrote:
| Clear context is missing: what are you hosting, what webserver,
| who are you - person of interest?, what is your IP, hosted on a
| cloud service or too cheap vps? , what is your dns? And most
| important: what is behind your front door...
| slater wrote:
| > what is your IP
|
| NICE TRY, MR. HACKERMAN
| devonnull wrote:
| Probably because the attackers can. Sometimes people don't need a
| deep reason for doing anything. They just want to watch bits of
| the web burn.
| lopkeny12ko wrote:
| > 100-150 SYN packets (with forged IP addresses) received per
| hour.
|
| Lol. That's not an "attack."
|
| Your server is publicy accessible over the internet. This means
| you are explicitly allowing other networks to connect to your
| server. This is par for the course; just always make sure to run
| the latest security patches and move on with life.
| bhaney wrote:
| I don't think I'd consider 100 SYN packets per hour to be an
| attempted SYN flood attack
| gtirloni wrote:
| One hundred. Not great, not terrible.
|
| Take him to the infirmary. Toptunov, take him! He's delusional.
| Flood attack, forged IP addresses. He'll be fine. I've seen
| worse.
|
| You didn't see forged IPs. You didn't. You didn't!!! Because it's
| not there!
| seaprune wrote:
| I've been reading Hacker News for over 12 years now and this is
| my first comment and I wanted to make it a reply to your post
| because I'm in stitches.
| francisofascii wrote:
| The meter max reading is 100. It's not 100. It's 15,000. :)
| cameron_b wrote:
| Adding to what has already been said- New registrations are the
| food for probing. You could have an IP on someone's naughty list
| from a previous user. It's any other day on the internet.
|
| That's just what the neighborhood ( the whole internet ) looks
| like from the sidewalk.
|
| So, Set up a free Cloudflare account, move your DNS of record to
| them, and run traffic through Cloudflare to your server.
| gustavus wrote:
| Please don't do this, find another way. Almost 1/2 the internet
| is inaccessible to me at this point because at some point CF
| decided that I was a bad actor and now I can't get to anything.
| Erratic6576 wrote:
| Have you tried changing the web browser or VPN?
| KomoD wrote:
| Then change your ip or browser settings.
| diggan wrote:
| > So, Set up a free Cloudflare account, move your DNS of record
| to them, and run traffic through Cloudflare to your server.
|
| Since the author is not actually experiencing any issues,
| they're just curious, there really isn't any need for this.
| joeyrobert wrote:
| I recommend this method for self-hosting too. I have gigabit
| Internet and cloudflare proxying unlocks the ability to host
| locally without exposing my home IP. Plus all the advantages of
| DDoS mitigation.
| codegeek wrote:
| Cloudflare won't protect your IP being hit directly. If your IP
| can be accessed publicly, it will get hit. period. You could
| use nginx etc to do a 444 status code but can't stop these
| scripts/bots from hitting ur IP completely.
| solardev wrote:
| Normally you'd just configure the firewall to drop all
| packets not from Cloudflare. Maybe also get a new static IP
| first.
| lormayna wrote:
| Yes and no. If you have an iptables rule that drop anything
| not coming from CF IPs, the attacking packets are not passed
| to the application and dropped in kernel mode. Otherwise the
| packet will be passed to user mode application that consume
| more resources to analyse and drop the connection.
| piperswe wrote:
| If you set up Cloudflare Tunnel, you don't even need to be set
| up to accept any incoming connections. With Access, you can
| even run SSH through that tunnel. You can then setup your
| firewall to drop any incoming packets for non-established
| connections, closing a significant hole for DoS attacks and
| such.
| naiv wrote:
| Tailscale is also a great alternative
| ozim wrote:
| Pro Tip - if you can get cheap IPv6 host cloudflare proxy will
| work for you as well for IPv4 as they will handle it.
|
| You setup only AAAA record and you are reachable from IPv4 as
| well as much as other cloudflare caching benefits that you get.
| donatj wrote:
| In my general experience, everything on the open web is being
| probed and attacked, all the time, always.
|
| That's just kind of how it goes. Bots scan the web looking for
| holes to get in and cause trouble. They'll poke your stuff.
| devdiary wrote:
| I also face the same and I have set policy to ban such traffic by
| IP. Qq: How do you know the IP is forged?
| lfmunoz4 wrote:
| anyone know of a ebpf tool that can temporary block ips if it
| starts sending too many syn packets?
| lormayna wrote:
| You are not being attacked. Those are probably some bots that are
| port scanning the whole Internet. I would barely ignore them and
| focusing on web server logs to find some strange requests.
| ericbarrett wrote:
| While I agree with other commenters that 100/hour doesn't rise to
| the level of "attack," I'm also curious, because with a forged
| peer address these are certainly not probes--the true sender
| would not get a response either way. Unless, that is, the spoofed
| IPs are also controlled by the attacker. I wonder if you'd find
| any patterns (net range, ASN, geographical, residential, etc.) in
| an analysis.
|
| It could also be that your server--no doubt along with millions
| of others--is simply being used as a bouncer to shield the origin
| of a DDoS attack. Typically attackers want "amplification" (send
| a tiny packet with a spoofed source address, get a large
| response) but if their pipe is big enough they may be content
| with a level of indirection.
| quickthrower2 wrote:
| You on a shared IP?
___________________________________________________________________
(page generated 2023-12-27 23:01 UTC)