Re: How definite are the SYN flood warnings?

Jon Lewis (
Thu, 18 Dec 1997 00:13:24 -0500 (EST)

On Tue, 16 Dec 1997, Felix von Leitner wrote:

> I received several warnings in the log file of our production server,
> all in the form
> /var/log/messages:Dec 3 04:01:18 yabba kernel: Warning: possible SYN flood from a.b.c.d on Sending cookies.
> Now, this looks to me like some bozo tried to synflood me. Probably had
> a look at my server and found almost no TCP services running, thought it
> could be an NT box and wouldn't it be fun to nuke me.

The synflood protection (at least in 2.0.x) is a bit too easily set off.
i.e. I get messages like:
Warning: possible SYN flood from on
Sending cookies.
validated probe(,, 1365466301)

on my news server all the time. In your case, it was the auth service
being hit hard enough for the kernel to suspect syn flooding. In many
cases, it's a false alarm.

Jon Lewis <> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______ for PGP public key____