I have had quite some response on the problem, and solutions were
diverse.

Most of you have thought of the kernel level Syncookie support. Gladly,
I had this already configured both in kernel, and activated it when
booting, when I put up the box a long time ago. This is probably why the
attack still seems to be so unimportant. I don't dare to take out the
support to see what happens, cause I suspect the server going down right
away. Probably should have mentioned that, but I totally forgot about
it.

Having figured this out, it realy *IS* an attempt to syn-flood, and not
some crappy Relay Attack. This gives me time to think about how to solve
my own bandwidth problem and server occupation, instead of worry about
someone else getting the blast off my own box.

The Other solution was putting a limit on the Syn Packages. The biggest
problem on this limit action, is that the *vast* amount of Spoofed
syn-pack coming in will trip the switch the instant it resets itself.
The big idea is to detect how often a particular IP, not known when
programming the firewall is throwing crap to me.

The solution I expect will solve this particular problem came from Russ,
and is quoted below.
Thanks, I'll try and work this out on my box to see if it realy solves
my problem.

Kind regards,
Reinder Gerritsen

-----Original Message-----
From: Russ Dill

http://www.netfilter.org/documentation/pomlist/pom-extra.html#recent

that patch should be able to handle it, note that the links are bad, but
the actual patches aren't to hard to find

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]