On Mon, Oct 07, 2002 at 11:28:46PM +0200, Reinder P. Gerritsen wrote: > Some unknown source is sending SYN packets to port 80 on my linux box. > These SYN packs have their sender address altered.
You are being SYN flooded. Ensure syncookies are enabled. (This is controlled via /proc/sys/net/ipv4/tcp_syncookies -- you must have support for syncookies compiled into your kernel for this variable to be present and functional.) As for reducing your bandwidth usage, there really is no way for the provider to determine which syns are fake and which are legitimate at their end -- it isn't until your machine sends SYN+ACK back to the "source IP" and receives an RST in response that it is possible to tell the SYN was fake... Sorry, there are no easy solutions. -- http://immunix.org/
msg00475/pgp00000.pgp
Description: PGP signature