Reinder P. Gerritsen wrote: > At any given moment SYN packs of some 20 to 30 faked host adresses are > flooding into my IP stack, at an alarming rate. (think in order of some > 100 SYN packs per sec or something like that.) My server responds to > that with the SYNACK reply, to the faked adres, which itself starts > announcing it hasn't requested a session. This continues up to say about > 5 minutes, then the IP drops its attempts, just to have "another IP" > starting. [...] > My question is, is there anyone who might have a solution to split out > the large quantity of fake requests, without taking down al the > legitimate traffic?
OK, the first thing that comes to mind, is using syncookies. http://cr.yp.to/syncookies.html Basically you have to enable "CONFIG_SYN_COOKIES=y" and do a $ echo "1" > /proc/sys/net/ipv4/tcp_syncookies This should reduce the load on your machine, because it doesn't have to keep track of all the fake connection-attempts. Of course it doesn't reduce the load on your network-connecion. The only way this problem could be really solved is when all ISPs start to use ingress-filtering (RFC2267) so no packets with faked IP-addresses would leave their network in the first place. Phil
