Actually, it's an external attack, apparently from a whole bunch of compromised machines.. One thing i thought off, was to pipe tcpdump's output into a couple awks and seds and generate IPTABLE rules on the fly.. let's see how this goes On Mon, 2006-11-27 at 08:38 +0000, G.W. Haywood wrote: > Hi there, > > On Mon, 27 Nov 2006 AntiProxy wrote: > > > One of my servers was hit by a DDoS attack earlier today, > > and the pattern was different to these i've seen before. > > > > netstat doesn't show any TCP or UDP connections in any state. > > > > however, TCPDUMP shows the following (i'm posting a few lines of > > millions): > > [...] > > what does it tell you? > > Somebody is trying to spoof a machine on your network? > > I'd have thought a reasonable box could drop 15k packets/second OK but > you might need to put rules in the INPUT chain to drop everything from > the offending IPs. For this kind of thing I use a Perl script to scan > the logs and insert rules into iptables in real time. Its input is > piped from syslog-ng. It takes a bit of setting up but it's worth it. > If there are large numbers (thousands) of attacking IPs you'll need to > look at something like ipset as iptables will begin to creak a bit. > > If this continues you might want to contact your upstream provider. > They will want to help if they're at all reputable. > > -- > > 73, > Ged. >
