Eric, >And I've got 759 kernel warning possible SYN flood from (always unique IPs) on >our.mail.server.com since sometime early on the 21st. > >Is this really a DoS attack, and if so how can we stop it? Not necessarily: I've met 'Possible SYN flood... sending cookies' type messages on a heavily loaded Linux box. In fact it was saying 'Help, I've run out of resources'. In our case it was CPU, since we had a broken application running on the box, that deadlocked files and put processes into extremely long (not quite infinite) loops. We fixed the application, upgraded the hardware for good measure, and nowadays the box handles twice the load with panache. I'd also suggest upgrading your kernel to the newest possible release, since sometimes this solves problems you didn't know you had. cheers, Andrew Richards.
