Hi there, I've been trying to get around this problem for quite some time. Still though I can not figure out what to do:
The following is happening: Some unknown source is sending SYN packets to port 80 on my linux box. These SYN packs have their sender address altered. At any given moment SYN packs of some 20 to 30 faked host adresses are flooding into my IP stack, at an alarming rate. (think in order of some 100 SYN packs per sec or something like that.) My server responds to that with the SYNACK reply, to the faked adres, which itself starts announcing it hasn't requested a session. This continues up to say about 5 minutes, then the IP drops its attempts, just to have "another IP" starting. These sending ip's are absolute fake. Some are dutch hosts, some even claim to come from another box I own, and of which I _KNOW_ it isn't requesting anything. Most though are addresses from around the world, of whom nobody can possibly be interested in my website. The way this is acting, seems to be closely resembling http://www.igknighttec.com/Articles/Network/basicdrdos.php, being me the "man in the middle", exept there is as of yet no real target to be discovered. When I kill of my webserver for say about 12 hours, you see a huge drop in attempts. Once I put up the webserver again, the packages start craming up my pipe within no-time. My Provider, as of yet, doesn't realy care. Traffic on the backbone is light, and most of it is routed through peerings, so no big deal there, realy. But my webserver is suffering seriously in performance. Pingtimes that usually are around 20 to 30 ms. Are dropping to 120~150ms. This, and the idea that my server aparently is smoking someone's internet connection is realy bugging me. The situation became apparent after a serious DDoS attack with some UDP flooding. When I tried to monitor that attack, this behaviour came to light as I finally got the UDP killed off. My question is, is there anyone who might have a solution to split out the large quantity of fake requests, without taking down al the legitimate traffic? R. Gerritsen Strikerz.net (Box specs: Linux Slackware 8.0 / 2.4.18 with iptables.)
