[nylug-talk] Help: Under Attack! (SYN flood)
Chris Knadle
Chris.Knadle at coredump.us
Sat Nov 3 23:13:53 EDT 2007
On Saturday 03 November 2007, Joachim Stahl wrote:
> Need help.
>
> One of my sites is under a SYN flood attack. /var/log/messages is filled
> with this:
>
> Nov 3 22:34:45 matrix kernel: possible SYN flooding on port 80.
SYN flooding is a very old attack method. Have a look at /etc/sysctl.conf
for the "net.ipv4.tcp_syncookies" setting, which will activate SYN cookies.
This can also be manually done using an:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
The kernel source makefile 'help' points to this page for more info:
http://cr.yp.to/syncookies.html
> Sending co$
> tcpdump shows the attackers, and I tried to put some rules in my iptables
> that block them, but either I am using iptables wrong or something else
> is the matter.
>
> I have this line in iptables:
>
> iptables -A INPUT -i eth0 -s 11.22.33.44 -j DROP
I'm not sure that's what you want -- -A APPENDS a rule rather than INSERTS
a rule. I think you might want -I, since if an earlier iptables rule accepts
the packet, then the appended rule won't actually reject the packet.
The rule above doesn't set logging the rejection, so I'm also not sure how
you can be sure that this rule is dropping packets.
-- Chris
--
Chris Knadle
Chris.Knadle at coredump.us
More information about the nylug-talk
mailing list