0

So forgive me if this is a dumb question, I'm not much of a networking expert. A friends server is being flooded by a certain IP, which is pretty obvious when looking at the output of tcptrace, as there are hundreds of connections with state "RESET".

I did the obvious thing and blocked said IP address using iptables:

iptables -I INPUT -s <bad guy> -j DROP

Which, as far as I understand, should do the trick. Now instead of "RESET" the connections show up as "SYN_SENT" in tcptrace, which makes no sense to me.

Am I overlooking something? Do I need to take some extra steps for the kernel to drop the connection completely?

EDIT:

An additional oddity is that, neither with nor without the iptables rule in place, do any strange connections show up with netstat -tuna (gotta love that command), which I read multiple times, should not be the case.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
DarkWiiPlayer
  • 103
  • 2

1 Answers1

2

Which, as far as I understand, should do the trick. Now instead of "RESET" the connections show up as "SYN_SENT" in tcptrace, which makes no sense to me.

The important thing to remember about most pcap based tools, is that pcap generally captures lower in the kernel networking stack then any netfilter code. So the packet that you have dropped with iptables is still going to arrive on the interface and be captured.

You are seeing the traffic SYN packets in your capture, but they likely aren't being passed on to anything else in the system, assuming your rule is correctly matching the traffic. Look at the counters (iptables -nvL) for the rule to double check.

with nor without the iptables rule in place, do any strange connections show up with netstat -tuna

With the rule in place we would obviously expect to see nothing, so that isn't too much of a surprise. Not sure why you weren't seeing anything without the rule though. Though I probably would use ss -nut over netstat.

Zoredache
  • 130,897
  • 41
  • 276
  • 420