At 07:50 PM 05/12/2002, Jim Roland wrote: >Perhaps "fake" is the wrong choice of words. Basically, looking for a SYN >proxy or a SYN Cache. I saw references to SYNCache on BSD, but have not >seen it implemented in Linux 2.4 yet. > >If the attacks were coming from a single host(s) it is easy to filter them >out, even automatically with something like portsentry or hostsentry, but >these are 2-3 connections per IP coming from hundreds/thousands of IPs. To >make matters worse, it's a busy web server so one can't distinguish between >real web traffic and flooding attempts. SYN floods are a tricky issue. We have a pps filter that you can set that will filter them once a threshold is reached, but there is no way to distinguish between real requests and bogus ones, so you will also drop the real ones. Usually the goal is to keep your server from crashing, which it does, but only filtering "bad" SYNs, which is what you really want, is not available. Dennis - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
