On Sun, Jan 06, 2008 at 01:36:26PM -0600, William Twomey wrote: > > I also disabled ipv6, which I was seeing a lot of from this host. Probably not, unless you've knowingly configured IPv6 routing and all that; you were probably seeing a lot of IPv4 mapped v6 addresses, which look (in netstat) like ::ffff:66.116.125.131. [1] Disabling v6 is an entirely reasonable thing to do if you don't use it, but is probably not going to do anything about the actual traffic. > tcp 0 0 192.168.1.240:www ba.2c.5646.static:55674 > FIN_WAIT2 > tcp 1 0 192.168.1.240:www ba.2c.5646.static:44413 > CLOSE_WAIT > tcp 0 0 192.168.1.240:www ba.2c.5646.static:59517 > ESTABLISHED > tcp 1 0 192.168.1.240:www ba.2c.5646.static:44401 > CLOSE_WAIT > > I've blocked this IP (resolves to 18255.com) on this machine using > iptables -I INPUT -s 66.116.125.131 -j DROP > > This doesn't work, so perhaps it's a spoofed IP? *shrugs* > > Any help would be appreciated, this is causing a bit of strain on my web > server. :/ Dropping packets from a host won't magically make all open connections from that host go away. These connections will eventually time out and go away. Until then, unless your web server is *really* resource-starved, these connections aren't causing any significant strain. You should probably read the netstat man page and RFC 793 [2] for info about what those various states mean. For example, a connection in FIN_WAIT2 state is waiting for a packet from the remote host, which you've explicitly forbidden. noah [1] http://en.wikipedia.org/wiki/IPv4_mapped_address [2] http://nwww.faqs.org/rfcs/rfc793.html
Attachment:
signature.asc
Description: Digital signature