1. How could a net-newbie distinguish an
accidental flood to a regular service (25,80,443,21+high ports)
from a DOS/DDOS attack?
what's to be looked for?

2. The funny thing is: when I stop the firewall, the traffic goes away
(ports are 'closed' instead of 'filtered'?)
the service does not run in either case?
the firewall in question is "arno's iptables"

3. What does "scanning attempt" in firewall logs stand for?
Doesn't normal operation involve 'scanning' of ports too?

4. Shall a linux user resort to AIDE or shall we "know stuff" and "roll our own"?

5. where does one turn to (homework) to understand this? 8)

I a total lammer and loosing "it" here, please be kind when kicking me :-( for this post...

1) The only thing I can think of is look for a very large number of SYN packets. From what I understand, the basic idea of a DoS attack is to open all the network connections allowed and cause the router/server to deny opening any more. Now, those SYN packets would probably come from illegitimate addresses, such as any of the private blocks (10.x.x.x, 172.16.x.x, 192.168.x.x) so as to keep a computer from answering a SYN packet request.

2) When the port is "closed", you're responding back to a request if the port is open or not. The only way to truly "stealth" a port (as in make it seem like nothing exists) is to filter it, and that is basically meaning not responding to anything that hasn't been asked for. The reason you don't see firewall logs grow when the firewall is off is that your computer, even with ports closed, is responding to requests.

3) Normal operation does not include "scanning" for ports. Scanning for ports means sending SYN packets to sequential ports to see what state the port is in. You can randomize what order you hit ports in to find scanning attempts, but I think they're generally still caught, though.

4) For intrusion detection, do as you see fit. Although many good security guys will tailor intrusion detection as they see fit

5) Look in books, on the web, here. . .basically, go anywhere you can to find information, and try to find that information from 3 sources if you want to ensure its legitimacy.

Kind thanks, ARC1450,

It does konfirm my guesses.

I meant 'no traffic' was showing zero troughput on gkrellm (I monitor my "exposed one" via gkrellmd+gkrellm.

While the firewal is 'down' there apears to be no traffic? Is aswering to a 'closed' port - no traffic?

I also added a custom rule to "DROP" (and tried "TARPIT" too ?) all traffic originating from the offending ports, then the traffic merely declined but still i was flooded (or is the propper term "congestion"?).

Namely, my 'flooded' host is a DNS server and got hit by mail servers while having no mail service. A week before i had a test-run of postfix on it, but I decided I have no time to learn it and stopped it for the moment. Few days after I noticed the flood?

Am I doing something (what?) wrong?
:-(