[nylug-talk] Help: Under Attack! (SYN flood)
Joachim Stahl
jstahl88 at gmail.com
Sat Nov 3 23:48:53 EDT 2007
> > One of my sites is under a SYN flood attack.
>
> Have a look at /etc/sysctl.conf for the "net.ipv4.tcp_syncookies"
> setting
Yes, this was already set on the machine, even before the attack
started.
> > iptables -A INPUT -i eth0 -s 11.22.33.44 -j DROP
>
> I'm not sure that's what you want -- -A APPENDS a rule rather than
> INSERTS a rule. I think you might want -I, since if an earlier
> iptables rule accepts the packet, then the appended rule won't
> actually reject the packet.
You are right, I actually had it as an insert (-I), but I was playing
around with it and changed it to -A.
> The rule above doesn't set logging the rejection, so I'm also not sure
> how you can be sure that this rule is dropping packets.
I run "iptables -nvL", which actually shows that the rule is blocking
packets, and it is. I'm just confused as to why tcpdump still shows it.
Joe
More information about the nylug-talk
mailing list