Security Incidents mailing list archives
Re: Spam and SYN Flood?
From: Peter Kosinar <goober () ksp sk>
Date: Thu, 21 Dec 2006 01:52:52 +0100 (CET)
Hello Curt,
I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to 4096, as well as shorten the amount of time that a SYN connection existed on the server. What I'm looking for is, am I creating a denial of service for myself, or is this coming from somewhere else that I'm just not expecting. If so, is there a way to trace this, or not? Example of syn_recv from netstat -anp output (this can go on for about 1500 connections, so that's why only about 15 listed)
At the first glance, it seems you're blocking the connections too late -- i.e. after the initial SYN packet had been received. I haven't played with ipchains for ages, but couldn't you, by accident, have blocked the communication in the other direction instead of the right one? That would effectively block the SYN/ACK which is sent as an answer for the initial SYN, thus causing the symptoms you're observing.
Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
Current thread:
- Spam and SYN Flood? Curt LeCaptain (Dec 18)
- Re: Spam and SYN Flood? Peter Kosinar (Dec 21)