If under a SYN flood attack, it would look like this:
tcp 0 0 12.34.56.78:80 211.48.6.244:1048 SYN_RECV
tcp 0 0 12.34.56.78:80 128.223.93.135:1167 SYN_RECV
tcp 0 0 12.34.56.78:80 194.15.197.170:1192 SYN_RECV
tcp 0 0 12.34.56.78:80 199.155.53.109:1039 SYN_RECV
tcp 0 0 12.34.56.78:80 4.168.188.28:1048 SYN_RECV
when you run :
netstat -an grep :80 more
but with several hundred of them, not five :)
Assuming your kernel was built with syncookie support, type the following as root.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
If it's not enabled, there isn't much you can do other than build a new kernel and reboot and use it or wait out the attack. Some datacenters can help with this as well.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment