I'm thinking I should be able to passively watch traffic to this host (mirror port) and use the IPTables 'LOG' function to note this type of attack to determine the source host (attacker). Before I implement my sniffer, is this the proper SYNtax (sorry ;) for what I'm trying to do:
IPTABLES -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD"
I've searched around, but reading the above makes me think that it will log *every* proper TCP connection (i.e. all that begin with a SYN). Should I be using the --state flag, and if so, what attribute (NEW, ESTABLISHED, INVALID, RELATED)???
Thanks! Jeff
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
