In article <000001c1fa0f$d612bc10$2002a8c0@jimws> you wrote: > Perhaps "fake" is the wrong choice of words. Basically, looking for a SYN > proxy or a SYN Cache. I saw references to SYNCache on BSD, but have not > seen it implemented in Linux 2.4 yet. Linus will drop into SYN-Cookie mode at some threshold, in that mode it will not bother Apache with the incoming SYN Requests. This is sub optimal mode of processing, that is, why it is not turned on all the time. Check out /proc/sys/net/ipv4/tcp_syncookies and set it to 1 to activate the conditiional syncookie feature. Any HTTP Application Level Gateway (or for that matter even TCP Socket Gateway) will protect your servers, but of course the Proxy needs to be configured to be robust agansint SYN Floods. > If the attacks were coming from a single host(s) it is easy to filter them > out, even automatically with something like portsentry or hostsentry, but > these are 2-3 connections per IP coming from hundreds/thousands of IPs. To > make matters worse, it's a busy web server so one can't distinguish between > real web traffic and flooding attempts. Actually, if this is a DDOS against you, you might be able to recognize a common pattern in those spoofed SYNs. For example the same ID, same source port, special TOS flags or anything like that. > With squid, are there any issues with setting it up as a "reverse web > proxy"? I mean, I use squid at home, but for outbound proxy traffic, this > would be a transparent inbound proxy. How do I set it up as that? There are some documents out there describing this, just search for "sqid http accelerator inbound proxy" on google. Greetings Bernd - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
