that would be great, but the tcp connections that are valid need to be in the SYN_RECV state for a short period of time, and the attackers keep changing the 10-20 spoofed ip''s they are using, so we cant block specific ip's either. We are a web host and must actually respond to the valid packets.
On Tuesday 23 April 2002 12:51 pm, Ronald LeVine wrote: > Set your firewall defaults to drop the flood packets on the floor and not > return anything. :) > > With regards, > Ron LeVine > > > > Christopher > Maujean To: [EMAIL PROTECTED] > <cmaujean@premier cc: > elink.com> Subject: [EUG-LUG:2374] DOS > attacks (SYN Floods) Sent by: > owner-eug-lug@efn > .org > > > 04/23/2002 12:21 > PM > Please respond to > eug-lug > > > > > > > Is anyone else experiencing massive Syn flooding? we now have the FBI > involved > as the culprits are using ip spoofing to mask themselves. As a side note, > tcp_syncookies are great, as long as your overall server load for web > traffic > is small, but when your web traffic load is high to begin with, syncookies > arent much help. -- Christopher Maujean IT Director, Premierelink Communications [EMAIL PROTECTED] http://www.premierelink.com/ 541-344-8575x305 --------------------------------------------------------------- I am a meta-syntactic variable. --------------------------------------------------------------- 46F2 7B62 EFAF 4176 ---------------------------------------------------------------
