[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SYN flood and IP spoofing

Hi all,

could someone clarify the following for me?

I have a debian firewall, running no daemons but ssh2,
with ipchains, spoof protection on, and syn cookies on.

I believe someone tried to SYN flood me.
I have lines like this:

Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6
+xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN

repeated a few thousands times (with small variations regarding
the source and destination port (21,137,139,etc)), but _also_ coming from about
10 different hosts.

So, my question is: what is the spoof protection doing exactly?
Can I assume the attacks are actually coming from the IP addresses
that are listed or is it feasible for someone to produce lines
in my logs with any source IP address?


Reply to: