> (2) If you are really under attack, then by the very nature of the
> SYN flood attack it is not possible to know from whom the attack
> is coming. The kernel only knows the spoofed address on the the
> SYN packets that are arriving, and those are anything but the
> address of the attacker.
Not all net scum necessarily have clues. I have seen several cases of syn
flooding without forged source addresses. Also, since the validated probe
message prints the remote address, it might be nice to do the same in the
"Possible flooding" message so you can match the 2 up and see "here's a
possible synflood from hostA, but theres the validated probe for hostA, so
it probably wasn't really an attack."
Not that anyone reads the Configure.help, but maybe we should add
reporting of the source addresses, and mention in the Configure.help that
there is a real possibility that the reported addresses are forged source
addresses and not necessarily the source of the attack.
It was only recently that I noticed how trivial it is to forge the source
address in oversized ping attacks. Now I kind of understand why Alan
didn't bother logging the source address in the original fix.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______