[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] SYN flooding

Subject: Re: [cobalt-developers] SYN flooding
From: "William L. Thomson Jr." <support@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Mar 28 08:23:50 2002
Organization: Obsidian-Studios Inc.
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Thanks to all so far for the info provided. Things have calmed down andI have about 9 IP blocked, and it has seemed to help.

I am not 100% positive if they were spoofed or not, but after scanningeach one, I am pretty sure they were not the average Joe web surfer.

I am somewhat familiar with ipchains and iptables and I think there is away using either one to block spoofed IP addresses?


Does anyone know of this or the command off the top of their head?

Is there any negative impact to normal users?

This seems like the way to go, and you would think there would bedefault support for that in the kernel or in ipchains/iptables.

Next time I am under siege I will use tcpdump and see if I can get somefurther info if they are spoofed or not.


E.B. Dreger wrote:

Hi Nico,

SYN flood != traffic flood

Wow, Big Bad on my part... Of course you are right, what was I
thinking? I probably was confusing these two types of flooding.
Apologies.


I, of course, never make typos or erroneous statements. ;-)  And
if you believe that, I have all sorts of magic potions to sell
you...

No problem.  It was probably a good exercise to summarize a SYN
flood, anyway.  Sort of like CJ was keen to mention backscatter,
which I had forgotten to address.

Quick addendum while we're on it:  Non-spoofed SYN floods built
using raw IP sockets mean that the attacker will send a RST in
response to the SYN+ACK, as there is no TCP socket awaiting
SYN+ACK.

The best way to trace these things is having a clueful upstream.
And, please, everyone block spoofed packets at your edge unless
you have a _really_ good reason not to.  Especially if you're
running colo... it's the right thing to do.


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers



--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 	707.766.9509

Fax707.766.8989

http://www.obsidian-studios.com

References:
- Re: [cobalt-developers] SYN flooding
  - From: E.B. Dreger

Prev by Date: RE: [cobalt-developers] JSP for XTR
Next by Date: Re: [cobalt-developers] OS-discussion
Previous by thread: Re: [cobalt-developers] SYN flooding
Next by thread: Re: [cobalt-developers] SYN flooding

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index