On Fri, Jan 25, 2008 at 01:59:08PM -0700, Charles Jones wrote:
I had a hobbit-monitored site become the victim of a DDOS syn-flood attack. To help detect this in the futrue and also aid information-gathering, I did the following [...]
Quite off-topic, but since this was on a Linux system you might want to look into enabling syn-cookies on these servers.
sysctl net.ipv4.tcp_syncookies=1
somewhere in a startup script will do that. It has no impact on the system unless the SYN connection queue fills up.
There's a thread discussing this on the Red Hat mailing list: http://www.redhat.com/archives/rhl-devel-list/2005-January/msg00447.html but the discussion is generic to Linux in all versions. Alan Cox (one of the main Linux kernel developers) also kills some of the myths about this setting in http://www.redhat.com/archives/rhl-devel-list/2005-January/msg00483.html
It won't help on the simple connection flooding (2000 active connections to your webserver), but there are other ways of stopping that - e.g. with Linux' built-in firewall (iptables): http://www.debian-administration.org/articles/187 The example is for fending off SSH brute-force attacks, but the same mechanism can be used for protecting webservers - although you will probably want to raise the limits from the 3 connections/second that the example allows.
Regards, Henrik