How definite are the SYN flood warnings?

Felix von Leitner (
Tue, 16 Dec 1997 08:11:27 +0100

I received several warnings in the log file of our production server,
all in the form

/var/log/messages:Dec 3 04:01:18 yabba kernel: Warning: possible SYN flood from a.b.c.d on Sending cookies.

Now, this looks to me like some bozo tried to synflood me. Probably had
a look at my server and found almost no TCP services running, thought it
could be an NT box and wouldn't it be fun to nuke me.

But, I could be wrong. Are these messages safe enough that I can go to
the admins and ask them if they know of any offender at their site?

Yes, I know that the IP numbers can be faked. That would not stop me
from contacting the admins of the possibly spoofed IP numbers, though.

I had a few port scans, too. Since my machine runs almost nothing, I
consider it pretty on the safe side now.
For an internet server, that is.

BTW: I installed a small program that logs connecting IP numbers and
have it run by inetd on a few well-known ports so people find something
if they port-scan me. Does anyone see any problem with that (except
that it could overflow my disk space with log messages)