Hi Hendrik, If there is no attempt to continue the TCP handshake then you may be getting some kind of DoS attack, if not I wouldn't assume the IP addresses are faked otherwise the connection won't work.
The scale (number of SYN/second) will tell you if this is real or just an artifact of something else. Couple of questions: 1) What are you using for a firewall (hardware/vendor,software etc). 2) What ports and protocols are being tried? If you're interested in where these IPs are, this may be helpful, and it's eye-candy too:) http://sourceforge.net/projects/openvisualtrace/ Depending on what you're hosting you may want to just dump chunks of the world via firewall rules. I travel for work so that doesn't help me but it would help for many people. You may also want to dump anything except the protocols/ports you're using. For my home network I block all incoming requests other than SSH and OpenVPN, and those are on non-standard ports. Another approach is to feed your logs to something like fail2ban which then updates your firewall rules to block/suppress that behaviour. Cheers, John J. On Wed, 2013-08-21 at 10:35 -0600, Hendrik Schaink wrote: > I am getting a lot of probes on my firewall that are internally reported > as Blocked Synflood, cleverly crafted to appear as coming from a number > of IP addresses onto a select few ports. Assuming the IP addresses are > all fake and Shaw does not have any incentive to track down the sources, > how would I go about further protecting my network from these attacks / > probes / ??? > > Any input would be appreciated. Thank you, > > Hendrik > > _______________________________________________ > clug-talk mailing list > clug-talk@clug.ca > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
