Something worries me about what you write. You're far too smart to wonder about something that shouldn't need to be wondered about. I've been thinking about your posts last night :
What is strange is that it looks like inbound, source is outside and dest is you, and you say it's outbound. SO we have 2 possibilities here :
- those packets are forged, and designed to bypass your iptables. But designed as they are, they won't go anywhere, as next router will ignore them or send them back to you (as being dest), which may be the purpose. But how are they generated, if not from inside your box ? Try to check for backdoor/rootkit, with a tool like chkrootkit ( ).
- those are part of the packets, and the others are the SYN/ACK reply that don't appear in your post for it to be kept short. OK, this is the most logical solution.
But then, you write that if you leave it alone, the server finally comes down, which looks like a SYN flood. But in your post only 3 hits per minute are seen. Once again 2 possibilities :
- if this is enough to get the server down, then there is an issue in the server itself, and it would be interesting to understand why it cant fall with such a few hits. Whatesoever, we can assume that it does so because it waits for handshakes to complete taht never does. A way round to try would be to check your httpd.conf file. Are you on keepalive off ? If you need keepalives, shorten MaxKeepAliveRequests to a lower value (from 100 to 20, for example). Then lower your ServerLimit, say from 256 to 160, and, what is most important, lower your MaxRequestsPerChild dramatically, say from 4000 to 1500. Better not touch the MaxClients though, for the hacker no to prevent others to get in. I can explain the reasons of those if you need.
- There is a larger number of packets, and once again you only selected a few. Then it's a SYN flood looking like event. A way round I could suggest, insted of working on the port solution, would be to work on the IP address, as the dump shows it seems to be always the same in the flood sequence. Maybe could you set up a kind of hysteresis on your iptables, that would allow hits in, but in a limited flow, say 2 or 3 per minute (which is even quite few, as each clic on link in any page makes a new handshake, even in normal use of your site). It would be a line in your iptables like :
iptables -A FORWARD -p tcp --syn -m limit --limit 1/m -j ACCEPT
Hope this helps. If it doesn't, could you give more information on what makes you see it's outbound, how many packets are seen and so on ?
The worst case would of course be rootkit, as it would indicate stealth of bandwidth, storage space and deep compromission of the machine itself. Hope we're not there.
Yours
Jerome
You can lean only on what resists you...
