Perhaps "fake" is the wrong choice of words. Basically, looking for a SYN proxy or a SYN Cache. I saw references to SYNCache on BSD, but have not seen it implemented in Linux 2.4 yet. If the attacks were coming from a single host(s) it is easy to filter them out, even automatically with something like portsentry or hostsentry, but these are 2-3 connections per IP coming from hundreds/thousands of IPs. To make matters worse, it's a busy web server so one can't distinguish between real web traffic and flooding attempts. With squid, are there any issues with setting it up as a "reverse web proxy"? I mean, I use squid at home, but for outbound proxy traffic, this would be a transparent inbound proxy. How do I set it up as that? ----- Original Message ----- From: "Brian" <hiryuu@envisiongames.net> To: "Jim Roland" <jroland@roland.net>; <linux-net@vger.kernel.org> Sent: Sunday, May 12, 2002 6:22 PM Subject: Re: SYN Floods > On Sunday 12 May 2002 03:52 pm, Jim Roland wrote: > > I have a host behind a routed firewall (not a NAT situation) that is > > being flooded by randomly spoofed/distributed SYN Flooding. There are > > approximately 8-12 pages of SYN_RECV connections, and it effectively > > slows down the webserver. > > > > Is there any software that I can sit on my firewall or on the same host > > that will "fake" the SYN/SYN+ACK/ACK handshake, and if a valid SYN, pass > > it along to Apache? I need to keep Apache from slowing down. > > There's nothing really 'fake' about that -- it's a whole TCP connection. > Depending on the severity of the flood, a squid with about 16,000 file > descriptors and a low timeout may survive it, passing the completed > requests back to apache. > > -- Brian > - > : send the line "unsubscribe linux-net" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
