Hope this solve this problem:
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
make sure `CONFIG_SYN_COOKIES' is compiled into the kernel while configuring
the kernel.
On Tuesday 24 April 2007 03:24, Andrew Kraslavsky wrote:
> Hello,
>
> For SYN flood protection, it seems OpenBSD's pf deploys something they call
> a "SYN proxy" whereby the 3 step TCP handshake is completed by this proxy
> so as to avoid SYN floods to the actual target.
>
> This OpenBSD pf feature is described here:
> http://www.openbsd.org/faq/pf/filter.html#synproxy
>
> The target is only brought into the picture if and when the handshake is
> complete.
>
> I guess pf must then adjust the real target's sequence numbers so as not to
> confuse the initiator of the connection.
>
> Has something like this been implemented via iptables?
>
> If not, are there any plans to do so?
>
> Thanks,
>
> - Andrew Kraslavsky
>
> _________________________________________________________________
> MSN is giving away a trip to Vegas to see Elton John.� Enter to win today.
> http://msnconcertcontest.com?icid-nceltontagline
--
Wang, Baojun Lanzhou University
Distributed & Embedded System Lab http://dslab.lzu.edu.cn
School of Information Science and Engeneering wangbj@xxxxxxxxxx
Tianshui South Road 222. Lanzhou 730000 .P.R.China
Tel:+86-931-8912025 Fax:+86-931-8912022
Attachment:
pgpL2fuk598Ux.pgp
Description: PGP signature
