Incidents
Spam and SYN Flood? Dec 18 2006 09:24PM
Curt LeCaptain (lecaptainc infinitytechnology com) (1 replies)
Re: Spam and SYN Flood? Dec 21 2006 12:52AM
Peter Kosinar (goober ksp sk)
Hello Curt,

> I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to
> 4096, as well as shorten the amount of time that a SYN connection
> existed on the server. What I'm looking for is, am I creating a denial
> of service for myself, or is this coming from somewhere else that I'm
> just not expecting. If so, is there a way to trace this, or not?
>
> Example of syn_recv from netstat -anp output
>
> (this can go on for about 1500 connections, so that's why only about 15
> listed)

At the first glance, it seems you're blocking the connections too late --
i.e. after the initial SYN packet had been received. I haven't played with
ipchains for ages, but couldn't you, by accident, have blocked the
communication in the other direction instead of the right one? That would
effectively block the SYN/ACK which is sent as an answer for the initial
SYN, thus causing the symptoms you're observing.

Peter

--
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus