Hello, I work for a BIG company and we get lots of SynFlood Attacks to ouer company. DDoS is not a problem couse ouer ISP is droping all icmp on their router. but SynFlood attacks go throo. The problem is that when there is a major attack the linux firewall gets disconnected while the attac is in progress. I get this in my /var/log/messages
Apr 11 16:56:52 fw kernel: eth0: Too much work at interrupt, IntrStatus=0x0001. I use the RLT 8139too driver i tought this could be a network card problem and changed the card to eepro100 and still the same problem with a little difrent kernel msg but still looze the connection when the attack is in progress. So i tought that maybe i have a problem with my firewall configuration: Curent Configuration: /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians /bin/echo "0" > /proc/sys/net/ipv4/ip_forward /bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps /bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout /bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time /bin/echo "0" > /proc/sys/net/ipv4/tcp_window_scaling /bin/echo "0" > /proc/sys/net/ipv4/tcp_sack /usr/sbin/iptables -N syn-flood /usr/sbin/iptables -A INPUT -p tcp --syn -j syn-flood /usr/sbin/iptables -A syn-flood -m limit --limit 2/s --limit-burst 4 -j RETURN /usr/sbin/iptables -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD-IN: " /usr/sbin/iptables -A syn-flood -j DROP /usr/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP /usr/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " /usr/sbin/iptables -A INPUT -f -j DROP I pasted only the syn firewall settings other settings are some drops for other ports etc... Anyone got any ideas what else could i add/change for SynFlooding or anykind of Flooding/attacks? BTW: the Line bandwith is not a problem we have a 100Mbit INET Line to the ISP but attack usualy usses up to 10Mbit but i still get disconnected I really need help and my boss wants to se some results anyone? help! and sorrf for the long post And sorry for my english.
