[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SQUID & syn attack



On November 8, 2003 06:01 am, Alex wrote:
> What rules should be set with iptables to block syn attacks and still allow
> legitimate traffic? The machine that I'm talking about is a squid cache
> server with about 200 clients which also acts as a router with NAT for one
> box on the private LAN.
>
>
> I did tried several approaches but it seems that the rules also interfere
> with client-to-squid connections.
>
> Any thoughts on that?
>
> Thanks!
>
> Alex

Hi,
if the syn is to a valid listening port, I don't see what can be done to stop 
the scan as it is a valid packet. However, if you are being flooded with 
syn's from a single source to a specific port, you may want to set IPtables 
to limit requests. Of course this may also interfere with legitimate client 
traffic to that service. i don't know that you could set a limit on an 
inbound source IP without calling some script from within the rules, which 
would likely bogg down the fw. 

I haven't tried them, but according to nmap, Synlogger and Courtney will 
detect the syn scans, so at least you could find the source and block them. 
Not too dynamic of a solution but you may get some info as to who is causing 
you greif.
-- 
Pete Nesbitt, rhce




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]