Hi all, I am experiencing some kind of attack on one of my web servers. I _think_ it might be a syn flood attack but I am not 100% sure. Can someone have a look at the following log entries and try to give me an idea what is going on here and the best way to stop/minimize this? Jan 6 23:04:16 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=0 WINDOW=5840 RES=0x00 ACK URGP=0 Jan 6 23:04:18 taz last message repeated 2 times Jan 6 23:04:20 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=22 ID=24009 PROTO=TCP SPT=0 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 6 23:04:21 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=212 WINDOW=5840 RES=0x00 ACK URGP=0 Jan 6 23:04:21 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=128 WINDOW=5840 RES=0x00 ACK SYN URGP=0 Jan 6 23:04:22 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=96 WINDOW=5840 RES=0x00 ACK URGP=0 Jan 6 23:04:23 taz kernel: fwb(DROPnLOG) IN=eth1 OUT=eth0 SRC=192.168.1.9 DST=203.206.95.1 LEN=40 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=0 WINDOW=5840 RES=0x00 ACK URGP=0 Jan 6 23:04:26 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=18 ID=30149 PROTO=TCP SPT=0 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 6 23:04:26 taz kernel: fwb(DROPnLOG) IN=eth0 OUT= MAC=00:04:5a:51:23:e7:00:90:1a:40:a2:9f:08:00 SRC=203.206.95.1 DST=66.92.236.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=22 ID=24012 PROTO=TCP SPT=0 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 66.92.236.xxx is dnatted to 192.168.1.9. Ethereal tells me that the packets are empty. This is a fully updated FC2 machine. FWIW I have blocked several /16's but after an hour or so they move to another one. I do not like the idea of blocking whole countries. :-( Suggestions appreciated. Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx