Just got syn flooded. There is about 200 of these coming from Egypt. And the server got sloowwww. It's cumbersome to do iptables -A INPUT -s 196.218.51.134 -j DROP on all of the IP's. Any ideas on how to best handle these types of situations? tcp 0 0 79.134.125.169:80 196.218.51.134:2535 SYN_RECV - tcp 0 0 79.134.125.169:80 196.218.51.134:1296 SYN_RECV - tcp 0 0 79.134.125.169:80 196.218.51.134:2130 SYN_RECV - tcp 0 0 79.134.125.169:80 196.218.51.134:4306 SYN_RECV - tcp 0 0 79.134.125.169:80 196.218.51.134:1984 SYN_RECV - tcp 0 0 79.134.125.169:80 196.218.51.134:2536 SYN_RECV -
Is the attack coming from one IP, or does the IP change? If it's from one IP, you can block it like this: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
It was only from 2 different IP addresses so it was easy to block with the above command. But since this kind of stuff seems to be growing more common we should find a bit more permanent solution.
