|
Faruk Ahmed wrote:
--- if i can limit the simultenious SYN connections from the source IP
using
iptables, I think that it is possible to fight against nimda.
Have you tested this? And how do you know which SYN request will lead to a
stream containing nimda? If you rate limit SYNs (also possible with 2.2.x
kernels, check out QoS, backlog queue) you will most certainly punish legimit
traffic.
My conception is, human usually do not eshtablish SYN connection as more as
Nimda or other worms, if I can determine a threshold of simultenious SYN
connection that nimda usually creates, probably I will be able to drop packets
from specific source IP which meet the threshold. There is chance of false
positive - I agree.
Another risk is if the attackers are forging their source IP addresses.
I don't think your threshhold approach would work in this case.
Have you heard of SYNCookies? http://cr.yp.to/syncookies.html
I think that should stop any SYN flood type of Denial of Service attack,
and also should allow all legitimate traffic to get through.
-dj
|
