Two things you probably want to do: 1) Enable Syn cookies (disables use of the TCP backlog). Its used in most systems to reduce the effects of a SYN flooding attack. 2) Contact your ISP. They can usually help you with such problems. In general they are not happy with attacks directed to their networks. - Joris >-----Original Message----- >From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonny K >Sent: zondag 20 mei 2007 7:28 >To: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: Re: Help with DOS attack > >> it looks like someone dos attack my server any ideas how i >can handle >> it ? >> >> (i allready sysctl and change the backlog queue to 4096 >insted of 1024 and i mange SYN timeout to 9 sec) >> >> any other ideas ? >> >> >> here is my netstat outputs >> >> >> [root@MYHOST ~]# netstat -an | grep SYN_REC | wc >> 372 2232 33108 >> [root@MYHOST ~]# >> >> >> >> >> Ip: >> 496709034 total packets received >> 0 forwarded >> >> 0 incoming packets discarded >> 496547054 incoming packets delivered >> 389034562 requests sent out >> 55 fragments dropped after timeout >> 499 reassemblies required >> 54 packets reassembled ok >> >> 55 packet reassembles failed >> 2 fragments received ok >> Icmp: >> 17083 ICMP messages received >> 25 input ICMP message failed. >> ICMP input histogram: >> destination unreachable: 11255 >> >> timeout in transit: 1579 >> source quenches: 353 >> echo requests: 3880 >> echo replies: 16 >> 24339 ICMP messages sent >> 0 ICMP messages failed >> ICMP output histogram: >> destination unreachable: 20459 >> >> echo replies: 3880 >> Tcp: >> 33725 active connections openings >> 38693945 passive connection openings >> 312156 failed connection attempts >> 521243 connection resets received >> 3 connections established >> >> 495811236 segments received >> 388303537 segments send out >> 14565173 segments retransmited >> 10279 bad segments received. >> 136512 resets sent >> Udp: >> 718164 packets received >> 571 packets to unknown port received. >> >> 0 packet receive errors >> 720360 packets sent >> TcpExt: >> 421 SYN cookies sent >> 99 SYN cookies received >> 43807 invalid SYN cookies received >> 1188232 resets received for embryonic SYN_RECV sockets >> >> 14 packets pruned from receive queue because of socket >buffer overrun >> 221 ICMP packets dropped because they were out-of-window >> 71 ICMP packets dropped because socket was locked >> 34829434 TCP sockets finished time wait in fast timer >> >> 2 time wait sockets recycled by time stamp >> 15358 packets rejects in established connections because >of timestamp >> 256833 delayed acks sent >> 2653 delayed acks further delayed because of locked socket >> >> Quick ack mode was activated 119773 times >> 74580 times the listen queue of a socket overflowed >> 74580 SYNs to LISTEN sockets ignored >> 39205589 packets directly queued to recvmsg prequeue. >> 8376974 packets directly received from backlog >> >> 2265096902 packets directly received from prequeue >> 806823 packets header predicted >> 36687371 packets header predicted and directly queued to user >> 238781476 acknowledgments not containing data received >> >> 125709890 predicted acknowledgments >> 29275 times recovered from packet loss due to fast retransmit >> 1927589 times recovered from packet loss due to SACK data >> 1362 bad SACKs received >> Detected reordering 6628 times using FACK >> >> Detected reordering 4312 times using SACK >> Detected reordering 4875 times using reno fast retransmit >> Detected reordering 11976 times using time stamp >> 6435 congestion windows fully recovered >> >> 66640 congestion windows partially recovered using Hoe heuristic >> TCPDSACKUndo: 957 >> 16664 congestion windows recovered after partial ack >> 4188573 TCP data loss events >> TCPLostRetransmit: 1192 >> >> 5491 timeouts after reno fast retransmit >> 260050 timeouts after SACK recovery >> 200153 timeouts in loss state >> 6505780 fast retransmits >> 695080 forward retransmits >> 4881678 retransmits in slow start >> >> 1084146 other TCP timeouts >> TCPRenoRecoveryFail: 14786 >> 306771 sack retransmits failed >> 2225 times receiver scheduled too late for direct processing >> 294 packets collapsed in receive queue due to low socket buffer >> >> 121753 DSACKs sent for old packets >> 64 DSACKs sent for out of order packets >> 1007539 DSACKs received >> 1099 DSACKs for out of order packets received >> 10295 connections reset due to unexpected data >> >> 102 connections reset due to early user close >> 64688 connections aborted due to timeout >> >> > >
