GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » DDOS (maybe) over port 80
DDOS (maybe) over port 80 [message #144068] Sun, 30 September 2018 00:26 Go to next message
bigmountain is currently offline  bigmountain
Messages: 64
Registered: April 2006
Has anyone been experiencing a DDOS attack over port 80 in the past few days? I am seeing several IPs and in one case an entire class C block of addresses attempt to connect to most of the IPs on our network via port 80 TCP. I do not see any activity from these IP when I go to the individual host, so I have to assume that Control is dropping the connections. However, sometimes I see the connections dropping on their own and other times they do not seem to drop and I have to manually block the IP and/or IP range. When these attacks are happening, http service freezes up on most of the hosts behind the firewall and at times, may disrupt standard smtp over port 25. It does not affect https, imap(s), dns, etc. just http and sometimes smtp. Even stranger, when these attacks happen, they are not connecting via smtp at all. So, I do not know why smtp get blocked for some hosts when the http attack occurs. Last, I do have connection limits set near the Kerio defaults and it does not seem that the connection limits are being met as they are not logged in the warning log and I am not receiving alerts indicating this. Has anyone encountered this? I do have a ticket in with GFI with all of the details, but am wondering if maybe there is something wrong with the latest antivirus or intrusion prevention update that introduced a bug that is preventing Control from properly handling these http requests?

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144070 is a reply to message #144068] Sun, 30 September 2018 21:55 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 196
Registered: August 2014
Location: Moscow
I also experience the same DDos stacks over port 80. Only manual block works. But this is not normal. Is it possible to get any comments from GFI about this problem ? May be it is possible to block inbound 80 port?

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144071 is a reply to message #144070] Sun, 30 September 2018 22:07 Go to previous messageGo to next message
bigmountain is currently offline  bigmountain
Messages: 64
Registered: April 2006
It is definitely not normal. Control has always properly dealt with these attacks for us. Fortunately, either the attacks have slowed down or Control has received updated intrusion prevention updates that maybe addressed these better. I can't explain it and I am still waiting to hear back from GFI. The type of attack appears to be SYN Flood, which is pretty common. According to my debug log (I have dropped packets checked), it seems to be dropping the connections of these unanswered SYN ACK responses at a faster pace, preventing the flood.

As for blocking port 80, that is easy, but we use port 80 on most of our machines.

Once I hear back from GFI, I will post an update.

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144072 is a reply to message #144071] Sun, 30 September 2018 23:19 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 196
Registered: August 2014
Location: Moscow
Thank a lot for any feedback.

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144079 is a reply to message #144072] Tue, 02 October 2018 10:01 Go to previous messageGo to next message
generator is currently offline  generator
Messages: 21
Registered: May 2004
Same by me. Last 3 days massive DDoS attacks. We use Reverse Proxy. Connection limits doesn't help.

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144092 is a reply to message #144079] Wed, 03 October 2018 14:16 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 196
Registered: August 2014
Location: Moscow
Does GFI support come here on forum to publish any comments? The last official comment from GFI was in the summer. Is the forum dead?

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144095 is a reply to message #144092] Wed, 03 October 2018 15:14 Go to previous messageGo to next message
bigmountain is currently offline  bigmountain
Messages: 64
Registered: April 2006
I think I may have figured out the problem. Try unchecking the http scanning in the antivirus settings. I think there is a bug with it. Once I did that, Control properly deals with the SYN floods. I let GFI support know this, so I we are testing my theory now.

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #144096 is a reply to message #144095] Wed, 03 October 2018 15:39 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 196
Registered: August 2014
Location: Moscow
I don't have a license for Antivirus. So this advice doesn't work for me.

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146379 is a reply to message #144068] Wed, 07 August 2019 09:19 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 196
Registered: August 2014
Location: Moscow
Does anyone have a solution of this problem? Last days I have massive DDOS attacks on SSL (443 port). How to solve this problem?

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146957 is a reply to message #146379] Fri, 01 November 2019 17:43 Go to previous messageGo to next message
brauner is currently offline  brauner
Messages: 114
Registered: February 2010
same for me...

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146966 is a reply to message #144068] Sun, 03 November 2019 18:32 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 226
Registered: April 2012
Location: Oxford(ish) UK
Hi All

We have been seeing massive DDoS attacks over the last week as well

I have blocked as many GEO IP Countries as possible but it is not possible to block US/Germany/France/UK etc

If we limit the maximum number of incoming connections to the mail server it stops legitimate connections including from mobile devices

We have been manually adding X.X.0.0/16 IP ranges but this is not practical on a long term basis

We have also tried setting maximum number of incoming connections from 1 IP address tweaking it when remote users get blocked and also are no blocking max no of connections per minute but this too need tweaking to be practical in order to not block legitimate outgoing connections

Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146967 is a reply to message #146966] Sun, 03 November 2019 20:21 Go to previous messageGo to next message
brauner is currently offline  brauner
Messages: 114
Registered: February 2010
same for me...

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146968 is a reply to message #146966] Sun, 03 November 2019 20:24 Go to previous messageGo to next message
daemor is currently offline  daemor
Messages: 3
Registered: December 2007
Try to setup only "Limit maximum concurrent connections from 1 source IP Address" to 50 and "Limit maximum concurrent inbound connections to 1 destination IP address from the same source" to 50.

The other option disable.

For me it works

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146970 is a reply to message #146968] Mon, 04 November 2019 10:45 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 226
Registered: April 2012
Location: Oxford(ish) UK
For more info.... https://www.coretech.it/it/service/systemStatus/ This is a global issue not a Control issue but we do need more granular tools to stop DDoS

Daemor I find if I set "Limit maximum concurrent connections from 1 source IP Address" to 50 I get issue with LAN users accessing the internet

I currently have "Limit maximum inbound connections to 1 IP address from the same source" set to 30. If I set it any lower mobile users with mail get problems

Constantly blocking x.x.0.0/16 IP addresses is tedious and slow

Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL

Report message to a moderator

Re: DDOS (maybe) over port 80 [message #146993 is a reply to message #146970] Wed, 06 November 2019 01:50 Go to previous message
servis@selfman.sk is currently offline  servis@selfman.sk
Messages: 4
Registered: November 2019
Hi,
I do agree. I've sent several request to the GFI support for better monitoring and management in Kerio Control, but I was redirected to the forum, to make the post here.
SYN FLOOD attacs are detectable and I've suggested a auto blocking mechanism. Though I am not sure if this gets implemented.

Report message to a moderator

Previous Topic: Working bad with Expired licence
Next Topic: Allow to open specified URL group after quota exceed
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Mon May 29 19:48:15 CEST 2023

Total time taken to generate the page: 0.06507 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software