Yes first i tought that too and i checked the PCI slots and i putted the ETH card to the bus that the only ETH card is on. It was a little better but still the same problem. But i think that if the Server gets Syned for 10mins its ok but if it gets snyed for about 30min or more then the problem is there. And the CPU is not used more then 10% when the syn is going on. Only if i enable logging then a little more.
I have a LOG file of about 600Mb of logs but not done with TCPdump. It looks like this this log is saved one from last months attack: Mar 5 22:44:41 one kernel: IPTABLES SYN-FLOOD-IN: IN=eth0 OUT= MAC=00:00:e2:35:a6:ea:00:05:9a:ad:c4:08:08:00 SRC=213.169.218.251 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=36853 PROTO=TCP SPT=1677 DPT=16411 WINDOW=65535 RES=0x2c SYN URGP=4089 Mar 5 22:44:41 one kernel: IPTABLES SYN-FLOOD-IN: IN=eth0 OUT= MAC=00:00:e2:35:a6:ea:00:05:9a:ad:c4:08:08:00 SRC=159.10.60.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=10 ID=40896 DF PROTO=TCP SPT=1855 DPT=3840 WINDOW=65535 RES=0x00 SYN URGP=37903 If you still want the TCPdump i can make the log next time. But for now i disabled syn logging couse i got alwayz more then 600Mb big file. And yes i use PortSentry too. But my Syn IPTables protection dropes packets before they get to PortSentry On Thursday 11 April 2002 22:58, you wrote: > It has been my experience that this would be a PCI issue as interrupts > occur for the PCI bus that the card is on. It may help to look at your > motherboard docs and see if you have more that one PCI bus and make sure > the eth card is on a bus by its self. This could also be overloading the > CPU but not likely. > > > Apr 11 16:56:52 fw kernel: eth0: Too much work at interrupt, > > IntrStatus=0x0001. > > Portsentry is a good idea. Do you know what port they are syn flooding > try using tcpdump to get a trace of it. I would be happy to look at the > dump for you. > > use some thing like this, when it happens. > > tcpdump -nn -i eth0 dst net <your IP>
