On Mon, 2002-10-07 at 14:28, Reinder P. Gerritsen wrote: > Hi there, > > I've been trying to get around this problem for quite some time. Still > though I can not figure out what to do: > > The following is happening: > > Some unknown source is sending SYN packets to port 80 on my linux box. > These SYN packs have their sender address altered. > > At any given moment SYN packs of some 20 to 30 faked host adresses are > flooding into my IP stack, at an alarming rate. (think in order of some > 100 SYN packs per sec or something like that.) My server responds to > that with the SYNACK reply, to the faked adres, which itself starts > announcing it hasn't requested a session. This continues up to say about > 5 minutes, then the IP drops its attempts, just to have "another IP" > starting. > > These sending ip's are absolute fake. Some are dutch hosts, some even > claim to come from another box I own, and of which I _KNOW_ it isn't > requesting anything. Most though are addresses from around the world, of > whom nobody can possibly be interested in my website.
absolutely fake ips, but aren't absolutely random. Ask iptables to drop any syn packets from a host that are above a paticular rate, probably 1 or 2 per second. The only unforunate side effect here is that someone can prevent another user from using your server if they know their ip address (they send syn's, the server drops syns for that ip)
