Bgs writes:
>
> Some more info about the attack: All IPs were real IPs otherway the tcp
> handshake wouldn't have made it. The attacker IPs were also consistent.
> They also new about the blocked IPs as after a new bunch of blocked IPs
> we fared OK then they added another bunch new IPs... we played this for
> quite some time...
>
> All connections were in the ESTABLISHED state.
>
Then your original description was incorrect or at least inadequate. It has
nothing to do with SYN as originally suggested since an ESTABLISHED
connection has blown past SYN, through SYN/ACK and by ACK. It has completed
the TCP handshake, as you note above. A SYN attack/flood would stop after
sending the initial SYN and leave the connection half-open to exhaust the
half-open buffers.
>
> How is the handling of ESTABLISHED connections implemented in the
> TCP/IP
> stack?
There is likely a timer somewhere to time out connections that are just
hanging around doing nothing. You'd have to dig around to find it and turn
it down. You could also use something like tcpkill to get rid of them for
you.
Ric
|