Periodic SYN flood attack from Cloudflare IP detected

Website, Application, Performance Security
1

What is the name of the domain?

example.com

What is the issue you’re encountering

Periodic SYN flood attack from Cloudflare IP detected

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Three web servers are connected to the Cloudflare domain, and the IPs are all the same and only the ports are different. Only one of the ports periodically detects SYN flood attacks from cloudflare IP in the iptables firewall. For all three ports, the router has set the whittelist only for cloudflare IP.

The synflood detection rules of iptables are as follows.
sudo iptables -t mangle -A PREROUTING -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -t mangle -A PREROUTING -p tcp --syn -j LOG --log-prefix="[DROP - SYN Flood] "
sudo iptables -t mangle -A PREROUTING -p tcp --syn -j DROP

And the logarithm is as follows

Feb 2 02:43:54 bigtable kernel: [881657.542919] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.71.175.76 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=1280 DF PROTO=TCP SPT=31777 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:43:54 bigtable kernel: [881657.556942] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.70.157.155 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=53812 DF PROTO=TCP SPT=18599 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:43:54 bigtable kernel: [881657.575174] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.70.86.114 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=37412 DF PROTO=TCP SPT=22107 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:43:54 bigtable kernel: [881657.589883] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.70.156.156 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=16356 DF PROTO=TCP SPT=15021 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:43:55 bigtable kernel: [881658.781553] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.69.54.137 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=16610 DF PROTO=TCP SPT=56667 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:43:55 bigtable kernel: [881658.783836] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.70.156.156 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=26311 DF PROTO=TCP SPT=25283 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:44:13 bigtable kernel: [881677.025366] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.71.162.130 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=3152 DF PROTO=TCP SPT=28717 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0Feb 2 02:44:13 bigtable kernel: [881677.040062] [DROP - SYN Flood] IN=enp19s0 OUT= MAC=a4:ba:db:bc:ca:74:80:ca:4b:23:c9:39:08:00 SRC=172.68.210.161 DST=192.168.123.102 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=46676 DF PROTO=TCP SPT=58111 DPT=8070 WINDOW=65535 RES=0x00 SYN URGP=0

Once synflood starts to be detected, it lasts about 2-3 minutes, and the period of occurrence is 8-24 hours. Is this a real attack or a periodic scan of cloudflare? There is no change in the cloudflare dashboard at the time when synflood is detected.

2

No, your rules are too strict, it would only take a handful of visitors to trigger this rule. If somebody was able to spoof CF IPs and had your backend, this rule would quite literally take down your website with very few pps.

1 Like
3

Actually, there is no one on my website to visit except for myself and the bot for health check that I set up. The bot for health check visits all three subdomains every five minutes, so it seems strange that this happens repeatedly only for one of them.

4

Your website, even if unreleased, is visited by automated bots 24/7. Crawlers, vuln scanners, security scanners, etc.
As soon as any of your subdomains/domains appear on any listing such as certificate transparency, it’s going to be replicated and amplified to appear on more scanning lists.

Not if the other subdomains haven’t caught the attention of scanners/bots (yet).

If the only visitors of your site are you and the healthchecks and this activity bothers you, use access or firewall rules to seal the site.

5

Is it normal for bots or scanners to establish so many connections in a short time? When I access through a web browser, that rate limit was enough. And when I access, IP is not fixed, so I think it will be difficult to apply IP-based rules to the firewall.

6

Even humans. consider a site that loads many resources/images, the moment that happens, legitimate visitors are going to generate a burst of requests that might easily surpass 20conn/s. This depends on your setup and all that, but generally rate limits can backfire because unexpected (but legitimate) situations occur all the time.

Regarding bots/scanners, yes, it’s expected. I also suspect that when your firewall blocks CF, the edge re-tries to connect and makes a vicious loop that gets CF further blocked.

1 Like
7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.