Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and L7-filter

The first command shows the backlog size of 1024, and the second command sets it to 2048.

The default Linux Kernel behavior is to discard new SYN packets if the queue is full.

can use iptables to protect against SYN flooding by limiting the number of SYN packets in a defined amount of time, as we did for ICMP

very large number of SYN packets without regarding the SYNACK the attacked host sends back. This type of attack is called TCP SYN attack or SYN flooding .

SYN flooding can be successful as the attacked computer keeps track of partially opened connections for minimum 75 seconds in a "listen queue". The queue is limited on various TCP implementations; therefore a SYN flood can fill it up, causing the machine to reboot or to crash.

fragmented IP packets that could not be assembled properly by the attacked machine, by manipulating the offset values of the packets. The effect was a kernel panic in Linux or a blue screen in Windows. A reboot solved the problem until the next attack.

Those tools exploit a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95. Teardrop sent frag‍

destined to one host to the attacker's IP address.

ICMP Flooding is one of the easiest ways to attack a host. ping is one of the most commonly used tools to verify connectivity, but it can also be used as a DoS attack tool.

Using spoofed IP addresses, an attacker might disrupt communications between two hosts by sending "Time Exceeded" or "Destination Unreachable" messages to both hosts, resulting in a DoS attack.

By sending ICMP "redirect" messages, an attacker might force a router to forward packets

Protocols like POP3, SMTP, SNMP, etc., transmit passwords in clear text, and so, decoding captured IP packets may result in disclosing such sensitive data. Packet sniffers like dsniff have very nice tools to decode those packets and store this information in a file in clear text