On Fri, 7 Jan 2005, Mike Klinke wrote: > On Thursday 06 January 2005 22:55, Tom Diehl wrote: > > Hi all, > > > > I am experiencing some kind of attack on one of my web servers. I > > _think_ it might be a syn flood attack but I am not 100% sure. > > Can someone have a look at the following log entries and try to > > give me an idea what is going on here and the best way to > > stop/minimize this? > > > The only thing that I can see that might be related to the IP > address is: > > league.ogn.com.au > > and this is only a possible link as a search engine returned a > paragraph with this domain name in conjuntion with 203.206.95.1. > > ======================== > Oceanic League > ... Q2 Servers: FFA --- > 203.206.95.1:27910 TDM -- > 203.206.95.1:27911 1v1 --- > 203.206.95.1:27912 CTF --- > 203.206.95.1:27920 LOX --- > 203.206.95.1:27930 RA2 ... > league.ogn.com.au/modules/news/article.php?storyid=63 > ===================================================== > > Do you have any gamers behind your firewall? Nope. This has been going on for about 15 hours now. It has changed ipaddress blocks a couple of times. according to ipwhois the all originate from .au. In the last hour it seems to have calmed down. Blocking the ip addresses calms things down until they change to another net block. I am hoping they will move on to somewhere else so I can drop the blocks. I do not like blocking multiple /16's Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx