Thanks to all so far for the info provided. Things have calmed down and I have about 9 IP blocked, and it has seemed to help.
I am not 100% positive if they were spoofed or not, but after scanning each one, I am pretty sure they were not the average Joe web surfer. I am somewhat familiar with ipchains and iptables and I think there is a way using either one to block spoofed IP addresses? Does anyone know of this or the command off the top of their head? Is there any negative impact to normal users? This seems like the way to go, and you would think there would be default support for that in the kernel or in ipchains/iptables. Next time I am under siege I will use tcpdump and see if I can get some further info if they are spoofed or not. E.B. Dreger wrote: > Hi Nico, > > > >>>SYN flood != traffic flood >>> >>Wow, Big Bad on my part... Of course you are right, what was I >>thinking? I probably was confusing these two types of flooding. >>Apologies. >> > > I, of course, never make typos or erroneous statements. ;-) And > if you believe that, I have all sorts of magic potions to sell > you... > > No problem. It was probably a good exercise to summarize a SYN > flood, anyway. Sort of like CJ was keen to mention backscatter, > which I had forgotten to address. > > Quick addendum while we're on it: Non-spoofed SYN floods built > using raw IP sockets mean that the attacker will send a RST in > response to the SYN+ACK, as there is no TCP socket awaiting > SYN+ACK. > > The best way to trace these things is having a clueful upstream. > And, please, everyone block spoofed packets at your edge unless > you have a _really_ good reason not to. Especially if you're > running colo... it's the right thing to do. > > > Eddy > > Brotsman & Dreger, Inc. - EverQuick Internet Division > Phone: +1 (316) 794-8922 Wichita/(Inter)national > Phone: +1 (785) 865-5885 Lawrence > -- > > Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) > From: A Trap <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Please ignore this portion of my mail signature. > > These last few lines are a trap for address-harvesting spambots. Do NOT > send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. > > _______________________________________________ > cobalt-developers mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-developers > > > -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
