I'm working on an issue where a user suspects an irregular but reoccurring SYN flood against a server (i.e. thousands of connections with only the SYN flag set -- never closed or ACKd)Below might work for you.
I'm thinking I should be able to passively watch traffic to this host (mirror port) and use the IPTables 'LOG' function to note this type of attack to determine the source host (attacker). Before I implement my sniffer, is this the proper SYNtax (sorry ;) for what I'm trying to do:
IPTABLES -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD"
I've searched around, but reading the above makes me think that it will log *every* proper TCP connection (i.e. all that begin with a SYN). Should I be using the --state flag, and if so, what attribute (NEW, ESTABLISHED, INVALID, RELATED)???
Thanks! Jeff
/glen
# SECTION FOR WHAT IS ALLOWED ON THE INPUT CHAIN # ----------------------------------------------------------------
# Check if this is a "good" IP packet, i.e., have seen the SYN iptables -A INPUT -j generic_drops
# Check for any tcp or udp established connection # The packet is accepted or dropped, there is no return iptables -A INPUT -j established
## Allowed established connections
iptables -N established
iptables -A established -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A established -p tcp -j LOG --log-prefix "(drop-tcp)"
iptables -A established -p tcp -j DROP
iptables -A established -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A established -p udp -j LOG --log-prefix "(drop-udp)"
iptables -A established -p udp -j DROP
# ----------------------------------------------------------------
# SECTION FOR GENERIC DROPS w/wo LOGGING
# ----------------------------------------------------------------
iptables -N generic_drops
iptables -A generic_drops -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "DROP(no-syn)"
iptables -A generic_drops -p tcp ! --syn -m state --state NEW -j DROP
-- Glen Ford [EMAIL PROTECTED]
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
