Quote:
* PING to my host and don't reply
|
"ipchains -A input -i (interface) -p icmp --icmp-type echo-request -l -j DENY"
This will deny & log requests, top it off with
"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
SYN flooding is when your box isn't able to complete the 3way handshake, prolly cuz the source IP's are spoofed, this way the connection won't be closed, consuming resources.
/usr/src/linux/Documentation/ip-sysctl has a few options:
the kernel "SYN COOKIES" feature has to be compiled in and doesnt stop flooding but let's u login to ure box while under attack. rp_filter will attempt reverse path address validation and tcp_max_syn_backlog handles the maximum amount of incomplete connections before they are dropped.
syncookies is handled in /proc/sys/net/ipv4, the other two in /proc/sys/net/conf/*/
Youll also want to deploy Snort which can trace DoS attack signatures such as Ping & Syn Floods. Then drop the offenders into a chain.
Real protection for flooding is only possible with an upstream shutdown. *Seems iptables got rate limiting caps.
Note unix uses UDP for traces while W32 uses ICMP.
Deny & log requests:
"ipchains -A input -i $(interface) -p udp --source-port 32769:65535 --destination-port 33434:33523 -j DENY -l"
"ipchains -A output -i (interface) -p icmp --icmp-type time-exceeded -l -j DENY"
*Also note some ppl don't find it necessary to "touch" the host with traceroute specifying a max hopcount to say the closest router.
Btw, if ure a newbie sysadm, its time to do some serious RTM'ing :-]