Hi all, could someone clarify the following for me?
I have a debian firewall, running no daemons but ssh2, with ipchains, spoof protection on, and syn cookies on. I believe someone tried to SYN flood me. I have lines like this: Nov 30 03:22:53 gw-anubis kernel: Packet log: bad-if DENY ppp0 PROTO=6 +xxx.xxx.xxx.xxx:2973 my_ip_address:25 L=44 S=0x00 I=59868 F=0x4000 T=227 SYN repeated a few thousands times (with small variations regarding the source and destination port (21,137,139,etc)), but _also_ coming from about 10 different hosts. So, my question is: what is the spoof protection doing exactly? Can I assume the attacks are actually coming from the IP addresses that are listed or is it feasible for someone to produce lines in my logs with any source IP address? Thanks. Julien
