来自IP的持续stream量

我从IP获得持续的stream量。我检查了Web服务器日志，什么都没发现。我已经使用IP表closures端口80没有成功。

这是我已经提取：

TCPDumpclosures端口80后： ... 16:29:58.352491 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 2165011454, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.354140 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1721916742, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.437774 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 363447977, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.524299 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 137986954, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.610422 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1651557377, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.695648 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1644752218, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.762889 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 708774106, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.781295 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1366521335, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.821036 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1828494182, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.866077 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 858654160, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.957206 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 497033597, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:59.040977 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 698028417, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 ... ... 16:29:58.352491 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 2165011454, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.354140 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1721916742, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.437774 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 363447977, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.524299 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 137986954, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.610422 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1651557377, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.695648 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1644752218, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.762889 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 708774106, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.781295 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1366521335, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.821036 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 1828494182, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.866077 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 858654160, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:58.957206 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 497033597, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:29:59.040977 IP elfmoney.ru.www > ME.DOMAIN.www: Flags [S], seq 698028417, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 ...

我怎样才能find更多关于发生了什么？

 iptables -t raw -A PREROUTING -p all -j ACCEPT ; iptables -t raw -I PREROUTING -s iptoblock -p all -j DROP ; iptables -I INPUT 1 -s iptoblock -p all -j DROP ;

用IP地址冒名顶替iptoblock。让我知道，如果它的作品！

您可以通过允许发送SYN-ACK来响应几个SYN数据包来发现源IP是否被欺骗。如果客户端用有效的ACK包回复SYN-ACK，则客户端IP不被欺骗。

如果客户端IP被欺骗了，那么你可以做的事情就不多了。

如果客户端IP是真实的，那么您可以使用LaBrea或类似的工具来降低速度。

不过，如果数据包的发送方忽略了所有发回的回复（这对于SYN洪水来说通常是这样做的），那么最好的办法就是使用SYN cookies来确保您的服务保持对合法的function用户。