(Please trim inclusions from previous messages) _______________________________________________ 44net-request(a)hamradio.ucsd.edu wrote: It is not specifically from that address. It appears to be a distributed attack on http servers, at least to network 44. I see the same incoming stream of connects to several hosts in my subnet, all from a different source IP. Sometimes after several hours it stops and starts from another IP. I have crafted iptables rules that block it effectively: iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A firewall -p tcp --syn -m recent --name tcp --set iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15 -j DROP iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT iptables -A firewall -p tcp -j DROP It just drops any source IP that sends more than 15 connects in 30 seconds. Adjust for the port numbers that you want to accept (80 and 443 in this example) There is also an internet-wide scan from source address 64.78.174.63 with traffic like this: 21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 I see it on another server outside net-44 as well. It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as this does not look like someone I want to deal with. Rob