Hi, > The plan i'm looking at is possibly blocking all packets with SYN alone, > no ACK.. would this be possible with iptables, and how would this affect > other web services? The main problem with SYN dos's is the fact that, if is big enough, eats machine resources, no matter what you can do at layer 3, it beats you down at layer 1, cos every time the nic receives a packet, generates an interrupt, and if you are receiving > 100.000 pps, simply your system collapses in a few seconds. Against that, but not yet well implemented in Linux, you can use polling (as, for example, freebsd can do), but this still won't save you if the attack is big enough. Your only solution is then asking your uplink to ratelimit the amount of syn per second arriving to you. Regards, - Ruben
