Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Philipp Schulte (pschulte_at_uni-duisburg.de)
Date: Fri Oct 11 2002 - 05:12:51 CDT
Reinder P. Gerritsen wrote:
> At any given moment SYN packs of some 20 to 30 faked host adresses are
> flooding into my IP stack, at an alarming rate. (think in order of some
> 100 SYN packs per sec or something like that.) My server responds to
> that with the SYNACK reply, to the faked adres, which itself starts
> announcing it hasn't requested a session. This continues up to say about
> 5 minutes, then the IP drops its attempts, just to have "another IP"
> My question is, is there anyone who might have a solution to split out
> the large quantity of fake requests, without taking down al the
> legitimate traffic?
OK, the first thing that comes to mind, is using syncookies.
Basically you have to enable "CONFIG_SYN_COOKIES=y" and do a
$ echo "1" > /proc/sys/net/ipv4/tcp_syncookies
This should reduce the load on your machine, because it doesn't have
to keep track of all the fake connection-attempts. Of course it
doesn't reduce the load on your network-connecion.
The only way this problem could be really solved is when all ISPs
start to use ingress-filtering (RFC2267) so no packets with faked
IP-addresses would leave their network in the first place.