El lun, 27 de 09 de 2004 a las 19:52, Jiann-Ming Su escribiÃ: > I'd like to know what some of these proc paremeters mean as well. > What we're experiencing is a SYN flood attack that's filling up the > connection tables. What I'd like to do is change the timeout to 5 > seconds, instead of the default 30 seconds. The ip_conntrack_max parameter is used to set the maximum entries in the conntrack table that the system can have at a time. The ip_conntrack is the file that contains the conntrack table, it lists the IPs and their states. If you want to limit the SYN flooding you should use the limit match of iptables, or you can use the TCP SYN cookie feature of netfilter. It can be activated in /proc/sys/net/ipv4/tcp_syncookies For the limit match look at: iptables -m limit --help -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
