[TriLUG] Detecting SYN Floods with IPTables?
Jeff Bollinger
jeff01 at email.unc.edu
Wed Feb 18 09:04:39 EST 2004
I'm working on an issue where a user suspects an irregular but
reoccurring SYN flood against a server (i.e. thousands of connections
with only the SYN flag set -- never closed or ACKd)
I'm thinking I should be able to passively watch traffic to this host
(mirror port) and use the IPTables 'LOG' function to note this type of
attack to determine the source host (attacker). Before I implement my
sniffer, is this the proper SYNtax (sorry ;) for what I'm trying to do:
IPTABLES -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD"
I've searched around, but reading the above makes me think that it will
log *every* proper TCP connection (i.e. all that begin with a SYN).
Should I be using the --state flag, and if so, what attribute (NEW,
ESTABLISHED, INVALID, RELATED)???
Thanks!
Jeff
More information about the TriLUG
mailing list