[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SYN flood and IP spoofing

On Mon, 04 Dec 2000, Julien Stern wrote:

> Hi all,
> could someone clarify the following for me?
> I have a debian firewall, running no daemons but ssh2,
> with ipchains, spoof protection on, and syn cookies on.
> I believe someone tried to SYN flood me.
> I have lines like this:
> Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6
> +xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN
> repeated a few thousands times (with small variations regarding
> the source and destination port (21,137,139,etc)), but _also_ coming from about
> 10 different hosts.
> So, my question is: what is the spoof protection doing exactly?
I think spoof protecting implies that the ip's which you registered on your
interfaces. For which routing is set. That they obied by this routing.

# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces
> Can I assume the attacks are actually coming from the IP addresses
> that are listed 
> or is it feasible for someone to produce linesin my logs with any source IP 
> address?




No flesh shall be spared : Mark 13
	- <Hardware>

Reply to: