I have had quite some response on the problem, and solutions were diverse. Most of you have thought of the kernel level Syncookie support. Gladly, I had this already configured both in kernel, and activated it when booting, when I put up the box a long time ago. This is probably why the attack still seems to be so unimportant. I don't dare to take out the support to see what happens, cause I suspect the server going down right away. Probably should have mentioned that, but I totally forgot about it.
Having figured this out, it realy *IS* an attempt to syn-flood, and not some crappy Relay Attack. This gives me time to think about how to solve my own bandwidth problem and server occupation, instead of worry about someone else getting the blast off my own box. The Other solution was putting a limit on the Syn Packages. The biggest problem on this limit action, is that the *vast* amount of Spoofed syn-pack coming in will trip the switch the instant it resets itself. The big idea is to detect how often a particular IP, not known when programming the firewall is throwing crap to me. The solution I expect will solve this particular problem came from Russ, and is quoted below. Thanks, I'll try and work this out on my box to see if it realy solves my problem. Kind regards, Reinder Gerritsen -----Original Message----- From: Russ Dill http://www.netfilter.org/documentation/pomlist/pom-extra.html#recent that patch should be able to handle it, note that the links are bad, but the actual patches aren't to hard to find
