Quote:
Originally posted by chort
SFAIK SYN cookies will only help you if the same IP is trying to SYN flood you, but it won't help if multiple IPs are sending one SYN each.
|
It shouldn't make a difference. Once the queue begins to fill, the system won't enter any new states into the table unless the remote system(s) sending SYNs responds to the SYN-ACK with the proper "cookie". So whether it's one or a bunch, as long as it isn't attempting real TCP connections, then tcp_syncookies should help mitigate it some.
@microsucks:
check the state table to see how many connections are actively in there. With that much RAM, you chould at least be able to handle 1024 simultaneous connections. Check the number of entries with:
cat /proc/net/ip_conntrack | wc -l
That should spit out the number of entries in the table. You only posted ~98 entries, so you should be well below the max threshold.
You might also want to fire up tcpdump and capture a few packets in order to get an idea of how big the packets are and how fast they're coming at you. If there coming in reasonably fast, you can do burst limiting.