========phanx.com=========
Author:  phanx
Updated: 2008-12-18
=========================

 

今天居然有人SynFlood我的Web Server，无聊的人还真多。。。

偶然跑到Router上检查，居然发现有大量的NAT条目，一看端口很规律，都是去往Web Server的80的，而且源地址是同一个，源端口依次递增。

估计是TCP SynFlood了，不过幸好还不是超多。

 

于是使用2800自带的防止SynFlood DoS的功能TCP Intercept。

配置简单，立马见效，5 seconds 不Established，就向Server发送TCP RST了 。

 

ip tcp intercept list TCPINTERCEPT
ip tcp intercept connection-timeout 300

ip tcp intercept watch-timeout 5
ip tcp intercept mode watch

 

ip access-list extended TCPINTERCEPT
   permit tcp any host 188.8.8.8 eq 80

 

 

phanx_Router#sh tcp intercept con
Incomplete:
Client                Server                State    Create   Timeout  Mode
221.201.145.24:51247  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51246  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51245  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51251  188.8.8.8:80        SYNSENT  00:00:03 00:00:01 W
221.201.145.24:51250  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51249  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51248  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
         
Established:

 

 

phanx_Router#sh tcp intercept st
Watching new connections using access-list TCPINTERCEPT
11 incomplete, 0 established connections (total 11)
55 connection requests per minute

 

还好还好，不是动真格的。。。

 

---

以下是NAT记录。

phanx_Router#sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1055    60.240.247.48:1055
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1060    60.240.247.48:1060
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1061    60.240.247.48:1061
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1094    60.240.247.48:1094
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1116    60.240.247.48:1116
。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3688    60.240.247.48:3688
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3689    60.240.247.48:3689
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3690    60.240.247.48:3690
。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:4887    60.240.247.48:4887
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:4993    60.240.247.48:4993
Pro Inside global         Inside local          Outside local         Outside global
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:59779  94.240.224.240:59779
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:60091  94.240.224.240:60091
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:62937  94.240.224.240:62937
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:64645  94.240.224.240:64645
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:65373  94.240.224.240:65373
tcp 218.104.217.135:80    188.8.8.8:80        121.229.68.69:1134    121.229.68.69:1134
tcp 218.104.217.135:80    188.8.8.8:80        123.115.1.69:7744     123.115.1.69:7744
tcp 218.104.217.135:80    188.8.8.8:80        123.115.1.69:8241     123.115.1.69:8241
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:18860  221.201.145.24:18860
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:18999  221.201.145.24:18999
。

。

。

。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40572  221.201.145.24:40572
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40573  221.201.145.24:40573
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40574  221.201.145.24:40574
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40575  221.201.145.24:40575
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40576  221.201.145.24:40576
tcp 218.104.217.135:80    188.8.8.8:80        —                   —