Re: syn DDoS attack solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Martijn Lievaart wrote:

Ric Messier wrote:

Bgs writes:

Some more info about the attack: All IPs were real IPs otherway the tcp
handshake wouldn't have made it. The attacker IPs were also consistent.
They also new about the blocked IPs as after a new bunch of blocked IPs
we fared OK then they added another bunch new IPs... we played this for
quite some time...

All connections were in the ESTABLISHED state.
Then your original description was incorrect or at least inadequate. It has 
nothing to do with SYN as originally suggested since an ESTABLISHED
connection has blown past SYN, through SYN/ACK and by ACK. It has completed the TCP handshake, as you note above. A SYN attack/flood would stop after sending the initial SYN and leave the connection half-open to exhaust the 
half-open buffers.
An connection is in the ESTABLISHED state once a packet has been seen. So once the SYN is seen, the state is ESTABLISHED.
Ah scratch that. You're talking about open connections, not ipfilter state matching. 

M4
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux