Re: Dos attack

From: Jose Maria Lopez Hernandez (jkerouac_at_bgsec.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 04:23:22 +0200

NeoSadist wrote:
> Jim G. wrote:
>
>
>>How do I stop a Dos Syn Attack. My isp has already stopped Upd connections
>>from hitting my servers, but I still have 225,000 connections to my 5
>>servers from a Syn attack. My load balancer is doing well keeping up and I
>>read something about tcp_syncookies will that help if I enable it? I am
>>behind a firewall, but its still causing my site to slow.
>>
>>Help!!!
>>
>>Jim
>
>
> Oh, I forgot. If you want, you can use iptables to filter what's incoming,
> therefore that could help. If this machine is a home desktop, I recommend
> not allowing incoming SYN except when necessary anyways, but then again,
> read up on IPTables as well.
>

This solution it's good if you don't have to accept incoming
connections, but if you have to then it's a bit harder. You
could just let it the SYNs that has destination address to
your network, because I have found most of the SYN packets
are spoofed. 

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAŅA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                 -- Jack Kerouac, "On the Road"