[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] SYN flooding
- Subject: Re: [cobalt-developers] SYN flooding
- From: Nico Meijer <nico.meijer@xxxxxxxxx>
- Date: Tue Mar 26 17:00:29 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
Hi William,
> I have begun denying service to certain IP's that look like they are
> abusing the server. So far I have denied all access from 6 IP addresses.
I did that a couple of times and it didn't work for me at all. I blocked the 'offending' IPs thru ipchains and logged all data coming in from those. Hardly what you would call a flood. You couldn't flood a 300bps modem with that traffic.
My guess is it *might* be DRDoS: http://grc.com/dos/drdos.htm.
It's always the www port (80)? Try tracing the IPs (bet you can't reach 'em) and find out where they're from. I've seen US an Canadian broadband IPs, nothing else so far.
> Although I am not to sure if that is what I should have done or not.
Log the packets and see what happens.
> The kernel seems to have tcp_syncookies enabled, which I think is
> correct, I can turn it off if it will help. But it is one by default, I
> never turned it on.
Keep it on in case you do get flooded.
> Anyway I just want to make sure that I am addressing this situation
> properly and not blocking people out of the server who are not trying to
> abuse it.
There are some hints in the article I linked above, but they are either vague or might deny very valid traffic. Then again, I read the article in-depth some time ago, can't remember everything right now.
There has been some light discussion on the DRDoS topic on one of the Cobalt lists.
> Any comments advice. Either is greatly appreciated.
Read the article and tell us what you think, always interested... Nico