[TriLUG] Detecting SYN Floods with IPTables?

Wed Feb 18 09:58:04 EST 2004

> I've searched around, but reading the above makes me think that it will 
> log *every* proper TCP connection  (i.e. all that begin with a SYN). 
> Should I be using the --state flag, and if so, what attribute (NEW, 
> ESTABLISHED, INVALID, RELATED)???

I use this (numbers modified):

--------------------------------------------------------------------
# Allow the local net to flood: I trust them
-A syn-flood -s 192.168.100.0/24                         -j RETURN 
# Keep the outsiders to a sane limit: tune this to fit as needed.
-A syn-flood -m limit --limit 2/second --limit-burst 25  -j RETURN 
# You blew it.  log-n-drop
-A syn-flood                                             -j LOG
-A syn-flood                                             -j DROP 

# Check all SYNs
-A INPUT -p tcp  -m tcp --syn -j syn-flood 
--------------------------------------------------------------------

However, mine is intentionally throttling both over-eager users and
floods, so, you may want to tweak.