Re: SYN flood and IP spoofing
On Mon, 04 Dec 2000, Julien Stern wrote:
> Hi all,
>
> could someone clarify the following for me?
>
> I have a debian firewall, running no daemons but ssh2,
> with ipchains, spoof protection on, and syn cookies on.
>
> I believe someone tried to SYN flood me.
> I have lines like this:
>
> Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6
> +xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN
>
> repeated a few thousands times (with small variations regarding
> the source and destination port (21,137,139,etc)), but _also_ coming from about
> 10 different hosts.
>
> So, my question is: what is the spoof protection doing exactly?
I think spoof protecting implies that the ip's which you registered on your
interfaces. For which routing is set. That they obied by this routing.
<snip>
# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces
</snip>
> Can I assume the attacks are actually coming from the IP addresses
> that are listed
No.
> or is it feasible for someone to produce linesin my logs with any source IP
> address?
yes.
greets
Jigal
--
No flesh shall be spared : Mark 13
- <Hardware>
Reply to: