Hello, My sites are currently having a lot of problems with a hacker who is constantly trying to bring down my web servers with SYN flood attacks.
I have enabled the SYN cookies mechanism and since doing so, he has not been able to bring down my servers, but he chews up a ton of bandwidth. I have a web server that is using Apache to host several sites on multiple IP addresses. It's easy to distinguish a legitimate user from the hacker because he cycles through my IP address range. He always attacks on port 80 and uses spoofed source addresses. Is there anyway to set netfilter to block when there are a number half opened connections (with a status of SYN_RECV) in the queue with the SAME source address (spoofed or otherwise) waiting for and ACK (that never arrives)? I'd like to reject and reset any further connection attempts, at least for a period of time. Thanks, Rob
