Our E1 connection is being closed by our firewall*. It happens intermittently every few days.
I find log entries like this one around the same time as the dropout:
Jun 2 09:53:35 sg580 kernel: Flood - dropped: IN=eth1 OUT= MAC=00:d0:cf:04:7c:13:00:15:2b:ff:97:68:08:00 SRC=61.162.229.252 DST=221.133.***.*** LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Always from the same SRC ip too!
Are we being DOS attacked?!
What can we do about this?
Thanks,
Ashley
*Our firewall is a SnapGear SG580
Malicious or not - it is a DOS attack - but a try-hard one at best.
Notice that the SYN flag is set, i.e., it is trying to establish a new connection to your IP on port 1433 - Sounds like a MS SQL service.
There are vulnerabilities for that service, so it's likely to be some pathetic script-kiddy trying to be l33t.
Have a look at the SANs page on port 1433 vulnerabilities...
Note that it is - very much so - possible to perform a DOS attack from a single host, despite the previous comment made. It depends on the service, and the vulnerability, not the fact that it's from 1 host or many.
For example, if 1 unit of attack, causes 5 units of resource-waste, then maybe the attack would do better by using 100 hosts, however if 1 unit of attack can cause 100,000 units of resource-waste, then 1 host is more than enough.
Finally, notice that the IP address of the source is from China, Beijing. Is it likely that you should be receiving a MS SQL connection at a high rate from Beijing? =)
Technically one would use DDoS (Distributed Denial of Service) to describe a DoS attack from multiple source IPs, but it's almost impossible to actually cause a Denial of Service condition when flooding from only a single IP, not to mention it occurs only every few days. So no, I wouldn't call it a DoS attack.
I'd say block him and see how things go.
Ehtyar.
It could be a configuration problem on the machine in question that causes it to send a flood. It could be a router or network configuration issue. Or it could be something hostile. It depends on whether it's coming from inside or outside your network. It looks like it's coming from outside your network. In this case, I agree with Ehtyar Holmes and say block it and see what happens. If it's someone who can legitimately connect to your network, but who has some problem with their computer, then they may contact you. If it's someone hostile, they'll hopefully leave you alone.