linux8080 端口被攻击，这是怎么做到的？

tcpdump显示众多源ip，而且来自不同地方，24小时不间断的刷啊
……
22:59:53.757199 IP 111.8.62.3.8038 > my_server_name.webcache: R 1002659497:1002659497(0) ack 1 win 0
22:59:53.758036 IP 110.205.143.219.broad.bj.bj.dynamic.163data.com.cn.5029 > my_server_name.webcache: S 2851863028:2851863028(0) win 1480
22:59:53.774206 IP 130.76.181.60.broad.wz.zj.dynamic.163data.com.cn.36426 > my_server_name.webcache: S 2831028411:2831028411(0) win 1480
22:59:53.776075 IP 123.139.209.184.30137 > my_server_name.webcache: S 4017635361:4017635361(0) win 1480
22:59:53.776839 IP 121.34.221.119.9908 > my_server_name.webcache: S 837044024:837044024(0) win 1480
22:59:53.781730 IP 144.0.193.26.27286 > my_server_name.webcache: R 2655450285:2655450285(0) ack 1 win 0
22:59:53.783780 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
22:59:53.783793 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
22:59:53.789409 IP 206.82.184.183.adsl-pool.sx.cn.8488 > my_server_name.webcache: S 13292673:13292673(0) win 1480
22:59:53.803736 IP 166.105.183.60.broad.sx.zj.dynamic.163data.com.cn.59965 > my_server_name.webcache: R 2434986321:2434986321(0) ack 1 win 0
22:59:53.817055 IP 14.154.201.202.dxmessagebase2 > my_server_name.webcache: S 2422988313:2422988313(0) win 1480
22:59:53.817658 IP 180.115.186.7.39709 > my_server_name.webcache: R 3067036612:3067036612(0) ack 1 win 0
22:59:53.818075 IP 153.37.55.209.57890 > my_server_name.webcache: S 2647351680:2647351680(0) win 1480
22:59:53.818087 IP 153.37.55.209.57890 > my_server_name.webcache: S 2647351680:2647351680(0) win 1480
22:59:53.824919 IP 144.0.193.26.27385 > my_server_name.webcache: S 1679616443:1679616443(0) win 1480
22:59:53.824932 IP 144.0.193.26.27385 > my_server_name.webcache: S 1679616443:1679616443(0) win 1480
22:59:53.832040 IP 27.185.89.240.8278 > my_server_name.webcache: S 2250297298:2250297298(0) win 1480
22:59:53.842221 IP 175.169.242.165.51397 > my_server_name.webcache: R 966327137:966327137(0) ack 1 win 0
22:59:53.858841 IP 58.217.15.160.9770 > my_server_name.webcache: R 3874420565:3874420565(0) ack 1 win 0
22:59:53.863049 IP 119.39.100.149.20802 > my_server_name.webcache: R 1758236370:1758236370(0) ack 1 win 0
22:59:53.898999 IP 115.239.101.28.33431 > my_server_name.webcache: S 1548454999:1548454999(0) win 1480
22:59:53.902565 IP 125.110.164.254.9133 > my_server_name.webcache: S 3853615462:3853615462(0) win 1480
22:59:53.902580 IP 49.74.31.167.8254 > my_server_name.webcache: S 1346836169:1346836169(0) win 1480
22:59:53.911242 IP 27.224.112.168.bmc-messaging > my_server_name.webcache: S 297943441:297943441(0) win 1480
22:59:53.929590 IP dns112.online.tj.cn.32535 > my_server_name.webcache: S 2075983090:2075983090(0) win 1480
22:59:53.935222 IP 16.71.65.222.broad.xw.sh.dynamic.163data.com.cn.8449 > my_server_name.webcache: S 2913705709:2913705709(0) win 1480
22:59:53.946193 IP 222.45.49.113.8390 > my_server_name.webcache: S 3781919088:3781919088(0) win 1480
22:59:53.947681 IP 66.207.116.112.broad.km.yn.dynamic.163data.com.cn.33159 > my_server_name.webcache: S 2209899657:2209899657(0) win 1480
22:59:53.976692 IP 14.218.21.6.9852 > my_server_name.webcache: S 3023885051:3023885051(0) win 1480
22:59:53.981722 IP 221.0.170.122.14864 > my_server_name.webcache: S 3007029936:3007029936(0) win 1480
22:59:53.985180 IP 110.255.103.153.28030 > my_server_name.webcache: S 2555479591:2555479591(0) win 1480
22:59:53.986831 IP 183.159.3.34.8346 > my_server_name.webcache: R 2380657566:2380657566(0) ack 1 win 0
22:59:53.994203 IP 118.117.57.14.cp-cluster > my_server_name.webcache: S 3081085765:3081085765(0) win 1480
22:59:54.011245 IP 113.90.202.185.4836 > my_server_name.webcache: S 776337793:776337793(0) win 1480
22:59:54.013997 IP 49.118.57.184.8258 > my_server_name.webcache: S 1156547442:1156547442(0) win 1480
22:59:54.014009 IP 221.215.151.250.44029 > my_server_name.webcache: S 3109020875:3109020875(0) win 1480
22:59:54.022167 IP 111.197.58.220.9137 > my_server_name.webcache: S 3907009925:3907009925(0) win 1480
22:59:54.022184 IP 111.197.58.220.9137 > my_server_name.webcache: S 3907009925:3907009925(0) win 1480
22:59:54.022900 IP 61.185.143.28.8284 > my_server_name.webcache: R 1173062330:1173062330(0) ack 1 win 0
22:59:54.028399 IP 136.252.36.120.broad.xm.fj.dynamic.163data.com.cn.simco > my_server_name.webcache: S 1312027176:1312027176(0) win 1480
22:59:54.034943 IP 61.185.143.28.8392 > my_server_name.webcache: S 1614871623:1614871623(0) win 1480
22:59:54.034955 IP 61.185.143.28.8392 > my_server_name.webcache: S 1614871623:1614871623(0) win 1480
22:59:54.035394 IP hn.ly.kd.adsl.8111 > my_server_name.webcache: S 1001433483:1001433483(0) win 1480
22:59:54.039576 IP 132.197.224.121.broad.wx.js.dynamic.163data.com.cn.10336 > my_server_name.webcache: S 1342978446:1342978446(0) win 1480
22:59:54.046402 IP 106.7.171.189.pxc-spvr-ft > my_server_name.webcache: S 1452239929:1452239929(0) win 1480
22:59:54.052456 IP 113.13.235.78.10169 > my_server_name.webcache: S 2948772484:2948772484(0) win 1480
22:59:54.057786 IP 221.214.165.207.28021 > my_server_name.webcache: S 4175701552:4175701552(0) win 1480
22:59:54.057799 IP 221.214.165.207.28021 > my_server_name.webcache: S 4175701552:4175701552(0) win 1480
22:59:54.059363 IP 75.86.249.116.broad.km.yn.dynamic.163data.com.cn.51418 > my_server_name.webcache: S 3740281310:3740281310(0) win 1480
22:59:54.062078 IP 72.75.224.121.broad.sz.js.dynamic.163data.com.cn.7210 > my_server_name.webcache: S 4248304216:4248304216(0) win 1480
22:59:54.069013 IP 112.236.115.118.9566 > my_server_name.webcache: S 2405441829:2405441829(0) win 1480
22:59:54.074719 IP 118.244.255.191.netsupport > my_server_name.webcache: R 3061295251:3061295251(0) ack 1 win 0
22:59:54.079061 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
22:59:54.079764 IP 49.118.233.13.42780 > my_server_name.webcache: S 284912091:284912091(0) win 1480
22:59:54.095316 IP 60.208.145.149.10256 > my_server_name.webcache: S 4047045660:4047045660(0) win 1480
22:59:54.095963 IP 243.182.186.220.broad.wz.zj.dynamic.163data.com.cn.9967 > my_server_name.webcache: S 537343209:537343209(0) win 1480
22:59:54.102875 IP 60.208.145.149.10256 > my_server_name.webcache: S 4047045660:4047045660(0) win 1480
22:59:54.102888 IP 222.85.82.172.25527 > my_server_name.webcache: S 3426084465:3426084465(0) win 1480
22:59:54.105697 IP 183.4.78.98.13468 > my_server_name.webcache: S 2301594782:2301594782(0) win 1480
22:59:54.107782 IP 183.4.78.98.13468 > my_server_name.webcache: S 2301594782:2301594782(0) win 1480
22:59:54.107796 IP 223.245.221.200.7679 > my_server_name.webcache: S 2689566425:2689566425(0) win 1480
22:59:54.108961 IP 183.37.240.190.gdp-port > my_server_name.webcache: S 4051266830:4051266830(0) win 1480
22:59:54.117948 IP 203.40.160.220.broad.fz.fj.dynamic.163data.com.cn.10441 > my_server_name.webcache: R 578534989:578534989(0) ack 1 win 0
22:59:54.124967 IP 125.80.164.76.25311 > my_server_name.webcache: S 451547197:451547197(0) win 1480
22:59:54.135321 IP 4.196.161.222.adsl-pool.jlccptt.net.cn.10157 > my_server_name.webcache: S 4105966441:4105966441(0) win 1480
22:59:54.146985 IP 1.30.208.122.10451 > my_server_name.webcache: S 1245850958:1245850958(0) win 1480
22:59:54.156400 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.9796 > my_server_name.webcache: R 3580832085:3580832085(0) ack 1 win 0
22:59:54.183885 IP 50.136.164.60.dail.ww.gs.dynamic.163data.com.cn.9686 > my_server_name.webcache: S 3016376764:3016376764(0) win 1480
22:59:54.186629 IP 110.18.37.197.10133 > my_server_name.webcache: S 2034068461:2034068461(0) win 1480
22:59:54.196794 IP 110.18.37.197.10133 > my_server_name.webcache: S 2034068461:2034068461(0) win 1480
22:59:54.204207 IP 115.197.77.171.48161 > my_server_name.webcache: S 2814195837:2814195837(0) win 1480
22:59:54.208412 IP 119.127.11.57.43422 > my_server_name.webcache: S 2900665168:2900665168(0) win 1480
22:59:54.217071 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.sctp-tunneling > my_server_name.webcache: S 1115400968:1115400968(0) win 1480
22:59:54.217084 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.sctp-tunneling > my_server_name.webcache: S 1115400968:1115400968(0) win 1480
22:59:54.217496 IP 222.169.69.157.4871 > my_server_name.webcache: S 4075432759:4075432759(0) win 1480
22:59:54.218155 IP 106.123.253.121.35167 > my_server_name.webcache: S 3729309272:3729309272(0) win 1480
22:59:54.219195 IP 60.215.9.53.7635 > my_server_name.webcache: S 424080732:424080732(0) win 1480
22:59:54.227259 IP 113.140.203.200.davsrcs > my_server_name.webcache: R 3002732680:3002732680(0) ack 1 win 0
22:59:54.234954 IP 113.63.193.231.9946 > my_server_name.webcache: R 3908004795:3908004795(0) ack 1 win 0
22:59:54.243492 IP 101.68.10.163.15661 > my_server_name.webcache: F 75140799:75140799(0) ack 1 win 65392
22:59:54.267196 IP 222.188.196.139.56758 > my_server_name.webcache: S 1991756040:1991756040(0) win 1480
22:59:54.268158 IP 115.202.32.23.9255 > my_server_name.webcache: S 89562150:89562150(0) win 1480
22:59:54.268174 IP 115.202.32.23.9255 > my_server_name.webcache: S 89562150:89562150(0) win 1480
22:59:54.273537 IP 124.67.140.33.20199 > my_server_name.webcache: S 500945474:500945474(0) win 1480
22:59:54.276398 IP 14.146.43.25.9707 > my_server_name.webcache: S 160170707:160170707(0) win 1480
22:59:54.279003 IP 14.146.43.25.9707 > my_server_name.webcache: S 160170707:160170707(0) win 1480
22:59:54.280061 IP 183.3.16.119.8064 > my_server_name.webcache: R 2011629550:2011629550(0) ack 1 win 0
22:59:54.296037 IP 113.8.223.196.aironetddp > my_server_name.webcache: S 167678558:167678558(0) win 1480
…….

thekll

2014-07-19 02:21:56 +08:00

@wzxjohn

tcpdump显示大量不同的源ip，如果这些ip是随机伪造的，应该不可能完成三次握手，为什么通过netstat查看状态有大量ESTABLISHED？
我理解的伪造源ip的攻击主要用于SYN Flood，所以不清楚我目前遇到的属于哪种。

以下是tcpdump加参数-nnX的输出结果：

01:55:04.500822 IP 180.111.189.20.8707 > 172.16.201.201.8080: S 598833600:598833600(0) win 1480
0x0000: 4500 0028 ed6a 0000 fe06 e806 b46f bd14 E..(.j.......o..
0x0010: ac10 c9c9 2203 1f90 23b1 79c0 0000 0000 ...."...#.y.....
0x0020: 5002 05c8 e3b7 0000 0000 0000 0000 P.............
01:55:04.500839 IP 180.111.189.20.8707 > 172.16.201.201.8080: S 598833600:598833600(0) win 1480
0x0000: 4500 0028 eaaf 0000 fe06 eac1 b46f bd14 E..(.........o..
0x0010: ac10 c9c9 2203 1f90 23b1 79c0 0000 0000 ...."...#.y.....
0x0020: 5002 05c8 e3b7 0000 0000 0000 0000 P.............
01:55:04.511716 IP 39.65.237.157.10156 > 172.16.201.201.8080: S 1194565532:1194565532(0) win 1480
0x0000: 4500 0028 e880 0000 fe06 4996 2741 ed9d E..(......I.'A..
0x0010: ac10 c9c9 27ac 1f90 4733 9f9c 0000 0000 ....'...G3......
0x0020: 5002 05c8 f155 0000 0000 0000 0000 P....U........
01:55:04.522350 IP 119.115.113.83.8002 > 172.16.201.201.8080: R 1449166068:1449166068(0) ack 1 win 0
0x0000: 4500 0028 2e47 0000 3406 f9e8 7773 7153 E..(.G..4...wsqS
0x0010: ac10 c9c9 1f42 1f90 5660 84f4 0000 0001 .....B..V`......
0x0020: 5014 0000 3708 0000 0000 0000 0000 P...7.........
01:55:04.546348 IP 27.38.53.206.19385 > 172.16.201.201.8080: S 3372241407:3372241407(0) win 1480
0x0000: 4500 0028 ed04 0000 fe06 08fd 1b26 35ce E..(.........&5.
0x0010: ac10 c9c9 4bb9 1f90 c900 51ff 0000 0000 ....K.....Q.....
0x0020: 5002 05c8 5d03 0000 0000 0000 0000 P...].........
01:55:04.548370 IP 218.59.187.45.30950 > 172.16.201.201.8080: R 2916263863:2916263863(0) ack 1 win 0
0x0000: 4500 0028 68ca 0000 2e06 18c3 da3b bb2d E..(h........;.-
0x0010: ac10 c9c9 78e6 1f90 add2 a7b7 0000 0001 ....x...........
0x0020: 5014 0000 b68b 0000 0000 0000 0000 P.............
01:55:04.569272 IP 220.249.184.116.9025 > 172.16.201.201.8080: S 3974400993:3974400993(0) win 1480
0x0000: 4500 0028 ee98 0000 fe06 c2ee dcf9 b874 E..(...........t
0x0010: ac10 c9c9 2341 1f90 ece4 8be1 0000 0000 ....#A..........
0x0020: 5002 05c8 e33a 0000 0000 0000 0000 P....:...…..

sar命令查看每秒大概100多次攻击，暂时通过iptable封掉了一些ip段，只是缓解了一些服务器的压力，还是没法根本上解决问题。

thekll

2014-07-20 01:42:00 +08:00

@ysjdx

我觉得还是P2P的DDoS攻击的可能性大一些，所有的包都会出现这样的数据：
每隔约10秒种连续发起几次请求：
01:34:08.375341 IP (tos 0x0, ttl 52, id 11617, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8146 > 172.16.201.201.8080: R, cksum 0xe0ed (correct), 68:68(0) ack 1 win 0
0x0000: 4500 0028 2d61 0000 3406 026d dd0b 041d E..(-a..4..m....
0x0010: ac10 c9c9 1fd2 1f90 3b74 3172 470d 848a ........;t1rG...
0x0020: 5014 0000 e0ed 0000 0000 0000 0000 P.............
01:34:08.634566 IP (tos 0x0, ttl 254, id 5929, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: S, cksum 0x87cc (correct), 872372089:872372089(0) win 1480
0x0000: 4500 0028 1729 0000 fe06 4ea4 dd0b 041d E..(.)....N.....
0x0010: ac10 c9c9 2043 1f90 33ff 5779 0000 0000 .....C..3.Wy....
0x0020: 5002 05c8 87cc 0000 0000 0000 0000 P.............
01:34:08.634613 IP (tos 0x0, ttl 254, id 5763, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: S, cksum 0x87cc (correct), 872372089:872372089(0) win 1480
0x0000: 4500 0028 1683 0000 fe06 4f4a dd0b 041d E..(......OJ....
0x0010: ac10 c9c9 2043 1f90 33ff 5779 0000 0000 .....C..3.Wy....
0x0020: 5002 05c8 87cc 0000 0000 0000 0000 P.............
01:34:08.635147 IP (tos 0x0, ttl 254, id 4579, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: ., cksum 0xdb9e (correct), 872372090:872372090(0) ack 1196319952 win 1480
0x0000: 4500 0028 11e3 0000 fe06 53ea dd0b 041d E..(......S.....
0x0010: ac10 c9c9 2043 1f90 33ff 577a 474e 64d0 .....C..3.WzGNd.
0x0020: 5010 05c8 db9e 0000 0000 0000 0000 P.............
01:34:08.659073 IP (tos 0x0, ttl 52, id 11713, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: ., cksum 0xe1b1 (correct), 68:68(0) ack 1 win 65392
0x0000: 4500 0028 2dc1 0000 3406 020d dd0b 041d E..(-...4.......
0x0010: ac10 c9c9 2043 1f90 33ff 57be 474e 64d0 .....C..3.W.GNd.
0x0020: 5010 ff70 e1b1 0000 0000 0000 0000 P..p..........
01:34:08.841644 IP (tos 0x0, ttl 52, id 11732, offset 0, flags [none], proto: TCP (6), length: 108) 221.11.4.29.8259 > 172.16.201.201.8080: P, cksum 0xd7aa (correct), 0:68(68) ack 1 win 65392
0x0000: 4500 006c 2dd4 0000 3406 01b6 dd0b 041d E..l-...4.......
0x0010: ac10 c9c9 2043 1f90 33ff 577a 474e 64d0 .....C..3.WzGNd.
0x0020: 5018 ff70 d7aa 0000 1342 6974 546f 7272 P..p.....BitTorr
0x0030: 656e 7420 7072 6f74 6f63 6f6c 0000 0000 ent.protocol....
0x0040: 0018 0005 3014 d66d 104e 0db3 a489 8180 ....0..m.N......
0x0050: 3932 5623 1dd2 072c 2d58 4638 3731 302d 92V#...,-XF8710-
0x0060: 7751 7164 6e34 6370 5076 4963 wQqdn4cpPvIc

对p2p协议不是很了解，不知道这是不是p2p客户端重连机制？