|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
George wrote:
> On Fri, Feb 13, 2004 at 09:34:50PM -0500, Kevin Brosius wrote:
>
> > I haven't analyzed the incoming traffic, beyond noting the heavy load,
> > doing a netstat, and seeing the kernel mention "possible SYN flooding on
> > port 80". What's the best way to check that?
>
> Looks like you have SYN cookies enabled in your kernel and it's sending
> out cookies in response to a high amount of traffic to your web server.
>
> You said you're using iptables to block traffic, right? If you haven't
> done so already, add a rule to log traffic from that host, perhaps with
> rate limit.
I was about to try this out, but the traffic has largely stopped. It
started again briefly around dinner time one evening, but stopped again
within about an hour before I had a chance to turn on some more logging.
I do have some netstat info with ports, and it does show the target was
port 80 (which is running a publicly accessible web server):
dest src
66.92.236.242:80 63.251.106.30:14179
" " :36177
" " :6556
" " :22502
--
Kevin
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|