SYN flood and IP spoofing

To: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: SYN flood and IP spoofing
From: Julien Stern <stern@lri.fr>
Date: Mon, 4 Dec 2000 15:09:25 +0100
Message-id: <20001204150925.A24084@lri.fr>
Mail-followup-to: Julien Stern <stern@lri.fr>, Debian Firewall List <debian-firewall@lists.debian.org>

Hi all,

could someone clarify the following for me?

I have a debian firewall, running no daemons but ssh2,
with ipchains, spoof protection on, and syn cookies on.

I believe someone tried to SYN flood me.
I have lines like this:

Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6
+xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN

repeated a few thousands times (with small variations regarding
the source and destination port (21,137,139,etc)), but _also_ coming from about
10 different hosts.

So, my question is: what is the spoof protection doing exactly?
Can I assume the attacks are actually coming from the IP addresses
that are listed or is it feasible for someone to produce lines
in my logs with any source IP address?

Thanks.
Julien

Reply to:

Follow-Ups:
- Re: SYN flood and IP spoofing
  - From: Jigal Weinberg <jigal@cistron.nl>

Next by Date: Re: SYN flood and IP spoofing
Next by thread: Re: SYN flood and IP spoofing
Index(es):
- Date
- Thread