On Thu, May 23, 2002 at 10:30:22PM +0200, NetWatch wrote: > Since several weeks we are getting SYN responses from Hosts that were > under a DOS attack. The attacker used our IP-Addresses as the spoofed > source IP and Port 80 as the source port. > Everything I can find is how to survive when I am the attacked network. > How can I prevent to get these stupid responses to my network. This is > really annoying.
Without knowing the details of what the attack looks like, it is difficult to say what exactly will fix the problem. However, I am going to guess that the incoming packets have both the SYN and ACK flags set, since the other end point is supposedly replying to an initial SYN packet. If this is the case, you can configure your firewall to block all incoming SYN+ACK packets that are not in response to an outgoing SYN packet. This would be pretty straightforward in the ipf or pf firewalls; it might be straightforward with iptables as well. I'm hoping my response will help you find some appropriate documentation.. (For completeness of archives, the method to block those packets with ipf or pf involves block in rules with "flags SA/SA", or something very similar depending upon local preferences.) Good luck -- http://sardonix.org/
msg00310/pgp00000.pgp
Description: PGP signature