Hi Philippe and list! On Mon, 25 Aug 2003, Philippe Vogel wrote:

More simple:

This is a rule for input chain of your server's firewall.

Analog to synflodd protection insert this in your firewallscript before you allow conncetion to port 80:

# Set your number of max. connections here! CONNECTION_LIMIT="100"

iptables -A INPUT -p tcp --dport 80 --syn -m limit --limit $CONNECTION_LIMIT/h \ -j LOG --log-prefix 'limit of $CONNECTION_LIMIT connections reaced'

Reguards

Philippe

Thanks for the suggestion. I understand what your saying, and I have this in my firewall already. What I'm looking for is a way to identify spoofed IP Syn flood attacks. I thought this could be done by keeping a count of each packet that is making an excessive amount of un-ACKnowleged TCP connections to the server. DrDOS attacks are made by sending packets with spoofed IP source address, for the machine the attacker wishes to target. The server will keep responding to these packets by sending out SYN/ACK packets, and wait for an ACK reply. So, if the source IP address is faked, the server is sending packets to a machine that has not asked for the connection. And the server will keep on sending out SYN/ACK packets till it times out, which could be quite a while. My idea was to keep a count of ALL packets coming to the server, and if there is an excessive amount of packets that are coming from one source IP, in a very short period of time, then this would probably indicate a SYN flood attack. With this information, it would then be possible to tell the server to block ALL future packets from the identified SYN flood source IP address, for an hour or more. (Even though the source IP is faked, this will stop Apache responding with SYN/ACK packets, which could in turn foil a SYN flood attack on someone elses machine). After the pre-configured time-out, connections from the blocked IP address would be allowed again. So you are right, this would work like the limit module in IPTables, but will also give alot more information, which Apache could then act upon. The idea is to build Syn flood attack prevention into Apache, so that the server will identify such attacks, and automatically block them, for a certain period of time, depending on the cofiguration directives allowed by the modifications done to the server. I don't mind working on this with someone else that has experience with Apache development, and is able to make the required modifications to the source code, etc. I have not had a chance to check out the other suggestions yet, but thanks to those that have made comments. Kind Regards - Keith Roberts PS Would anyone like a copy of httpd.conf that I have reworked, and divided into 4 main include files? If so, I will email it to you off this list. snip->............. # The configuration directives have been regrouped into four basic sections: # 1. Directives that deal with dynamic loading of different Apache modules, # for extending the functionality of Apache web server. # # 2. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # # 3. Directives that define the parameters of the 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all following virtual hosts. # # 4. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. snip->............. (a reworked copy of php.ini and chapter 3 configuring PHP is available as well, if anyone would like a copy)