Jason -
Thanks for the reply.
The attack seems to have subsided this morning. The
'foreign address' for all of the SYN_RECV listings in
netstat were unique (I captured a list of them if it
would help). If they had been somehow spoofed, any
ideas how I would be able to figure out where they
were
Sounds like a SYN Attack... Are all of these connections sourced from
the same location? Can you access your router to determine where the
traffic is coming from?
On Thu, 2003-12-18 at 01:00, andy drexler wrote:
> Bill -
>
> Thanks for the reply.
>
> I followed your advice below and it doesn't
Bill -
Thanks for the reply.
I followed your advice below and it doesn't seem to
have made a difference.
I did a
netstat -n -p TCP
and it shows a couple of hundred active connections,
with 130 or so being the SYN_RECV state. Could this be
some sort of DOS attack?
Thanks again for your help.
andy drexler wrote:
I searched the mail archive and found out why the log
file was empty. I added the -v to the smtpd/run script
and the log is now growing. On the server, there are a
bunch of running smtpd processes:
21728 ?S 0:00 /var/qmail/bin/qmail-smtpd
mail2.smartsite.net /home/v
I searched the mail archive and found out why the log
file was empty. I added the -v to the smtpd/run script
and the log is now growing. On the server, there are a
bunch of running smtpd processes:
21728 ?S 0:00 /var/qmail/bin/qmail-smtpd
mail2.smartsite.net /home/vpopmail/bin/vchkpw
