SYN flood and IP spoofing
could someone clarify the following for me?
I have a debian firewall, running no daemons but ssh2,
with ipchains, spoof protection on, and syn cookies on.
I believe someone tried to SYN flood me.
I have lines like this:
Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6
+xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN
repeated a few thousands times (with small variations regarding
the source and destination port (21,137,139,etc)), but _also_ coming from about
10 different hosts.
So, my question is: what is the spoof protection doing exactly?
Can I assume the attacks are actually coming from the IP addresses
that are listed or is it feasible for someone to produce lines
in my logs with any source IP address?