From owner-freebsd-questions Sun Jul 25 1: 9:39 1999 Delivered-To: freebsd-questions@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id D5A22150AF for ; Sun, 25 Jul 1999 01:09:37 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 29577 invoked by uid 1000); 25 Jul 1999 08:08:59 -0000 Date: Sun, 25 Jul 1999 01:08:59 -0700 (PDT) From: Anil Jangity To: freebsd-questions@freebsd.org Subject: lots of SYN_RCVDs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I am using 2.2.8 STABLE. I have noticed that if I do netstat -n |grep RCVD I am seeing a LOT of connections that look like this: tcp 0 0 209.157.x.y.23 5.217.247.122.50813 SYN_RCVD tcp 0 0 209.157.x.y.23 161.123.163.118.44481 SYN_RCVD tcp 0 0 209.157.x.y.23 8.227.78.245.42898 SYN_RCVD tcp 0 0 209.157.x.y.23 164.133.250.241.36566 ---------------------------------------------------------------- The weird thing is, I try to ping the hosts on the right side and I get NO reply from them. I did a traceroute on atleast 5 ips and nothing wrong on my side. Is it just that they are blocking icmp? If so, thats a big coinsidence that none of those ip's seem to be pingable. (Yes I am able to ping other known hosts successfully). Is this how a SYN flood looks like? If so is there a patch for 2.2.8stable for the kernel that limits SYN floods on the cpu? I know there was one that was for 3.X. I don't know who the author was, but it was on bugtraq and freebsd-security. Also note that it only happens on port 23 and I am positive that all of those are NOT users trying to telnet into me. :) Thanks. Kind regards, Anil Jangity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message