These are tools I use for managing things on servers. block - Block an IPv4 address. unblock - Unblock an IPv4 address. theDrain - Watch, log, and help mitigate SYN floods. theDrain must not be your first line of defence against a SYN flood. There are much better mitigations such as SYN cookies and various other sysctl settings. theDrain is intended for watching, logging and IP blocking large offenders to lighten the load and stop the sending of wasted SYN_ACKS. Blocking only happens if run ar root. Care must be taken to set the $max_ho variable to a value that is sane for your server and will not catch too many innocents making heavy but normal use of the system. The current default is one that worked well on the more used of the 2 servers that this was written for, theDrain is also not good at catching highly distributed attacks. Again it must not be you firstline of defense. It is however very good at letting you see the IP addresses involved and then manually blocking them should you choose to using the net block retrieved from whois in CIDR format. For example if you saw a lot of 117.221.1x.xx numbers you could do a whois on one of them, Lets say 117.221.14.131. when you run: whois 117.221.14.131 You can see from the: % Information related to '117.221.0.0/20AS9829' that the net block in question is: 117.221.0.0/20. Often there is a CIDR: line with this info instead/also. Running: -------- Block and unblock are fairly self explanitory so I wont talk about them theDrain has several ways it can be run. Executing it as a non-privledged user take a quick look and print out stats on half open connections. Executing it as root will do the same as above but blacklist any IPs with more then $max_ho Half Open connections. I find using something like: watch -n 5 theDrain as eiter root or nonpriv. depending on the desire to monitor or monitor and block works very well. theDrain also logs to a file drain.txt. So you can leave it running via watch and come back later to see what was blocked. It will also fire off e-mail alerts if it sees more then $alert_level Half Open connections. sending the alert to the address specified in $alert_to Definitely take a look at the source and set the variable in a way that is sane for your use.