netstat查询网络状态,出现一百多行SYN_RECV状态的连接,重启也是一样,是什么原因?

young8704
  • 233

netstat查询网络状态,出现一百多行SYN_RECV状态的连接,重启也是一样,是什么原因?
如下,这是其中一部分

[root@VM-20-191-centos ~]# netstat -anptu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.104.20.191:80        160.20.58.17:21923      SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.203.170.91:57617    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        45.135.47.218:27281     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        43.225.157.52:43318     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        103.100.208.88:65038    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        103.100.209.111:47093   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.203.254.204:18586   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.86.6.124:27798      SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        109.248.24.240:54339    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        39.109.122.96:23713     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        202.43.237.165:8851     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.92.14.126:38008     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        45.138.81.58:3022       SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        103.210.239.213:16978   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.221.22.233:43713    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        118.193.54.41:49827     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        196.63.177.33:34358     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        196.63.150.68:36688     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        118.184.92.89:6167      SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.211.14.20:19317     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        193.8.83.186:52358      SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.221.18.22:1209      SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.203.207.117:45523   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.223.144.173:20679   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.83.14.191:26167     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        169.129.215.59:13386    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        103.80.25.150:45368     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        203.91.82.119:45379     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.203.188.232:30709   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        156.238.60.61:11370     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        156.241.143.56:16974    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        156.240.38.30:38951     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        156.241.186.167:13598   SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        185.23.200.19:58        SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        103.211.99.236:19915    SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        154.83.13.168:27156     SYN_RECV    -                   
tcp        0      0 10.104.20.191:80        118.184.79.116:29039    SYN_RECV    - 

另外,查询apache的access_log,发现有很多 CONNECT 方法的请求,明显不是普通用户的访问请求,跟上面 SYN_RECV状态的连接 之间有没关系?

45.137.20.150 - - [15/Jul/2021:09:59:29 +0800] "CONNECT icanhazip.com:443 HTTP/1.1" 405 288
175.184.166.193 - - [15/Jul/2021:10:07:58 +0800] "HEAD http://110.242.68.4/ HTTP/1.1" 200 -
220.200.171.91 - - [15/Jul/2021:10:07:59 +0800] "GET http://www.soso.com/ HTTP/1.1" 200 766
123.245.24.124 - - [15/Jul/2021:10:08:01 +0800] "CONNECT cn.bing.com:443 HTTP/1.1" 405 286
118.81.237.204 - - [15/Jul/2021:10:08:01 +0800] "GET http://www.rfa.org/english/ HTTP/1.1" 404 257
171.36.245.195 - - [15/Jul/2021:10:08:02 +0800] "GET http://www.wujieliulan.com/ HTTP/1.1" 200 766
219.143.174.183 - - [15/Jul/2021:10:08:02 +0800] "GET http://dongtaiwang.com/ HTTP/1.1" 200 766
49.113.97.236 - - [15/Jul/2021:10:08:03 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 405 288
125.72.95.254 - - [15/Jul/2021:10:08:03 +0800] "CONNECT dnspod.qcloud.com:443 HTTP/1.1" 405 292
124.227.31.167 - - [15/Jul/2021:10:08:04 +0800] "GET http://www.minghui.org/ HTTP/1.1" 200 766
221.205.139.8 - - [15/Jul/2021:10:08:05 +0800] "CONNECT dnspod.qcloud.com:443 HTTP/1.1" 405 292
124.227.31.145 - - [15/Jul/2021:10:08:05 +0800] "CONNECT www.voanews.com:443 HTTP/1.1" 405 290
117.14.114.3 - - [15/Jul/2021:10:08:05 +0800] "CONNECT dnspod.qcloud.com:443 HTTP/1.1" 405 292
113.120.15.214 - - [15/Jul/2021:10:08:05 +0800] "CONNECT www.so.com:443 HTTP/1.1" 405 285
113.128.105.60 - - [15/Jul/2021:10:08:06 +0800] "GET http://www.epochtimes.com/ HTTP/1.1" 200 766
123.160.235.32 - - [15/Jul/2021:10:08:07 +0800] "CONNECT dnspod.qcloud.com:443 HTTP/1.1" 405 292
36.5.158.228 - - [15/Jul/2021:10:08:08 +0800] "CONNECT dnspod.qcloud.com:443 HTTP/1.1" 405 292
回复
阅读 536
1 个回答

1:出现大量SYN_RECV状态
考虑是否SYN Flood (关于SYN Flood参考tcp三次握手)

2:大量CONNECT方法
代理服务器扫描 一般和SYN_RECV没有关系

撰写回答
你尚未登录,登录后可以
  • 和开发者交流问题的细节
  • 关注并接收问题和回答的更新提醒
  • 参与内容的编辑和改进,让解决方法与时俱进
你知道吗?

宣传栏