(If you need something to prevent them from hitting you, check with your
OS vendor or support mailing list or pet dog - there are patches out for
many OSs now which help to contain the damage done by a SYN flood).
To prevent them from coming from you:
Assume portmaster is assigning 128.0.0.1 - 128.0.0.30
add filter nosyn.in
set filter nosyn.in permit 128.0.0.1/27 0.0.0.0/0
set filter nosyn.in deny 0.0.0.0/0 0.0.0.0/0 log
This prevents your portmaster from allowing people to use addresses
other than those that the portmaster is assigning. While it's still
possible for them to synflood (I've heard that there are kernel patches
floating around for Linux which will do it, and you could still spoof a
neighbor's address on the same PM), it greatly reduces the liklihood of
such an attack taking place, and it also increases the odds that they'll
get caught.
You should also have similar packet filters on the outbound
interface(s) of the router(s) connecting you to the world. It's
a second line of defense against the misuse of your internal
servers. Why make yourself an attractive target? :)
-Dave
> From: "CygNet Support" <support@cyg.net>
> Subject: SYN Flooding attacks
> I know I saw this go by once but could you please repeat. Thanks
>
> What is a good filter example to prevent SYN Flooding attacks???
>