PDA

View Full Version : Possible Performance Hit



AthenaOfDelphi
23-06-2019, 12:28 PM
Hi all,

Over the weekend, my server (that hosts PGD) started reporting excessive process warnings on the monitoring solution I use to keep an eye on things.

In investigating this it's become plainly apparent that there are a lot of weird connections coming into the server from some dubious IP addresses. Many of these are already being handled by the firewall and the hosting management software, but some were not and these seemed to be intent on keeping connections to the mail services alive for an indefinite period of time.

To try and combat this I've added some rules to the firewall to limit simultaneous connections. The downside of this is that you may notice a slight performance hit when surfing the site as connections could be rejected during page loading.

I'm doing my best to ensure the server is safe from malicious activity and right now, this is the best solution I can come up with. Looking at some monitoring of the network it appears to be working.

If you do notice any issues, please post details here.


Thanks

de_jean_7777
24-06-2019, 09:19 AM
Works mostly, and it's almost as fast as it was before (PGD may have been sluggish due to the increased number of connections). Sometimes it can't connect but it's fine as a mitigation.
Thank you for working on it.

SilverWarior
25-06-2019, 09:20 AM
but some were not and these seemed to be intent on keeping connections to the mail services alive for an indefinite period of time.

Are we talking here about connections to mail services using mail protocols like POP3, IMAP and SMTP or are we talking about connection being made toward web mail interface.
If we are talking about connections through mail protocols then you could easily set up conection limit in your firewall in such a way so that it doesn't interfere with webpage as you can go an impose a connection limit only to a specific ports that are being used by these protocols:
POP3:


Port 110 - this is the default POP3 non-encrypted port
Port 995 - this is the port you need to use if you want to connect using POP3 securely

IMAP:


Port 143 - this is the default IMAP non-encrypted port
Port 993 - this is the port you need to use if you want to connect using IMAP securely

SMTP:


Port 25 - this is the default SMTP non-encrypted port
Port 2525 - this port is opened on all SiteGround servers in case port 25 is filtered (by your ISP for example) and you want to send non-encrypted emails with SMTP
Port 465 - this is the port used if you want to send messages using SMTP securely


Only in case of possible attacks on web interface you would not be able to impose a connection limit without affecting PGD webpage as both work on port 80 for initial connection and then port 443 for maintaining a secure connection using HTTPS.

AthenaOfDelphi
25-06-2019, 11:12 AM
It wasn't just mail these connections were appearing on which is why the connection limit is affecting everything.

It appears to be some kind of TCP SYN attack as the connections are in the SYN state as though the server has responded to the SYN request with a SYN+ACK and is waiting for the client to return ACK.

SilverWarior
26-06-2019, 04:29 PM
It appears to be some kind of TCP SYN attack as the connections are in the SYN state as though the server has responded to the SYN request with a SYN+ACK and is waiting for the client to return ACK.

Well this is a completely different matter then.
Here is what I'm wondering. Who would want to launch a TCP SYN Flood attack against PGD? What would they gain by doing this?
Now if you perhaps host some other sites from your servers it it possible that one of them might be the actual target for the TCP SYN Flood attack. Perhaps they might be even executing TCP SYN flood attack toward PGD in order to make it less obvious that they are attacking another site on your server since clogging the server would take down all of the sites hosted on it any way.

davido
23-07-2019, 11:35 AM
Hi, I did not notice any drop in performance, thanks for working on it.

_______________________________________________
ShowBox (https://showbox.red/) Tutuapp (https://tutuapp.win/) Mobdro (https://mobdro.onl/)