Is anyone else getting hit with a SYN flood to the ircd port? I am getting *hammered* from dozens of src addreses even though I have iptables set to block all traffic to that port.

BTW, what is the policy on bw usage in this situation? Surely I'm not expected to pay for BS traffic like this? Especially when I'm not even running an IRC server.

http://www.linode.com/forums/viewtopic.php?t=916 should help you, specifically asura's reference to portsentry.

Yeah, some software firewall would help if you don't want portsentry automatically blocking IPs. Any firewall should do.

Portsentry wouldn't help much in this case since the volume of SYN packets is very high and there is nothing I can do at my node other than change my IP address to keep them from coming. Also, the number of src IP addresses is very high which may either mean some of the addresses are spoofed or that there is a zombie network in play. If the former, have to be careful with portsentry as a smart attacker can make the DoS worse by doing things like spoofing portsentry into blocking your DNS servers.

That's actually a technique that I often use when doing a pen-test on a network with reactive IDS/IDP. You'd be surprised how effective spoofing attack packets from upstream DNS servers can be at getting the IDS/IDP turned off. Especially if you start the spoofing on Friday evening. Most admins will just disable it for the weekend so that they don't have to come in and tweak things on their days off. ;)

We never used automated port blocking at my current job, or the last ones. There's just too much that can go wrong: the wrong port gets blocked due to a false positive; smart intrusion techniques...

We do all blocking by hand and we monitor 24/7 with specialists. Of course, I don't work for an ISP, either. I work in a federal facility that thrives on neutralizing attacks and viruses. We just laugh at port scans and we've never been DoS'd or DDoS'd. I don't think anyone would have the stones to do that and even if they did, I doubt it would be effective.

For a person with a Linode seeing huge scans from multiple IPs, I do suggest portsentry and hope the guy(s) on the other end aren't too bright, or you can just deal with it. Jumping through hoops to get the IP changed won't help if the person can find the IP again. Either that, or just manually use a firewall and create rules by hand (and broadening the rules...I wouldn't hesitate to block huge net ranges, at least for the duration of the attack). Other than those suggestions, there's not much you can do, IMO.