On Tue, Aug 20, 2019 at 07:36:11PM +0200, Peter J. Philipp wrote: > Hi, > > On the NANOG list there is a thread about something synflooding: > https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html > > Most of my hosts are synflooded, and I was wondering why my OpenBSD > hosts don't show any SYN_RECV states in a netstat -nafinet. I had to tcpdump > to see a synflood happening on port 53 on one of my hosts, have to > still check the other one. Could there be a bad pf rule I'm > using? I suspect this is a worm of sorts or something. > > While not an emergency, it is inconvenient to pick out the synflooders > with tcpdump. Is there any better tools?
netstat does not show SYN_RECV states because those are hold in the syncache and need to finish the 3-way handshake before showing up in netstat. I normally use tcpdump to identify synfloods but pfctl -ss will probably show them as well (up to the moment where pf decides to switch to syncookies). -- :wq Claudio
