Hi there, On Mon, 27 Nov 2006 AntiProxy wrote: > One of my servers was hit by a DDoS attack earlier today, > and the pattern was different to these i've seen before. > > netstat doesn't show any TCP or UDP connections in any state. > > however, TCPDUMP shows the following (i'm posting a few lines of > millions): > [...] > what does it tell you? Somebody is trying to spoof a machine on your network? I'd have thought a reasonable box could drop 15k packets/second OK but you might need to put rules in the INPUT chain to drop everything from the offending IPs. For this kind of thing I use a Perl script to scan the logs and insert rules into iptables in real time. Its input is piped from syslog-ng. It takes a bit of setting up but it's worth it. If there are large numbers (thousands) of attacking IPs you'll need to look at something like ipset as iptables will begin to creak a bit. If this continues you might want to contact your upstream provider. They will want to help if they're at all reputable. -- 73, Ged.
