Server currently under DDOS, not sure what to do

Question

My web server is currently under a DDOS attack I believe, the messages log is full of these kind of messages:

May 13 15:51:19  kernel: nf_conntrack: table full, dropping packet.  
May 13 15:51:19  last message repeated 9 times  
May 13 15:51:24  kernel: __ratelimit: 78 callbacks suppressed  
May 13 15:51:24  kernel: nf_conntrack: table full, dropping packet.  
May 13 15:52:06  kernel: possible SYN flooding on port 80. Sending cookies.  

and a netstat has a huge amount of the following:

tcp        0      0 my.host.com:http     bb176da0.virtua.com.br:4998 SYN_RECV  
tcp        0      0 my.host.com:http     187.0.43.109:2694           SYN_RECV  
tcp        0      0 my.host.com:http     109.229.4.145:1722          SYN_RECV  
tcp        0      0 my.host.com:http     189-84-163-244.sodobr:63267 SYN_RECV  
tcp        0      0 my.host.com:http     bd66839d.virtua.com.br:3469 SYN_RECV  
tcp        0      0 my.host.com:http     69.101.56.190.dsl.int:52552 SYN_RECV  
tcp        0      0 my.host.com:http     pc-62-230-47-190.cm.vt:2262 SYN_RECV  
tcp        0      0 my.host.com:http     189-84-163-244.sodobr:63418 SYN_RECV  
tcp        0      0 my.host.com:http     pc-62-230-47-190.cm.vt:1741 SYN_RECV  
tcp        0      0 my.host.com:http     zaq3d739320.zaq.ne.jp:2141  SYN_RECV  
tcp        0      0 my.host.com:http     netacc-gpn-4-80-73.po:52676 SYN_RECV  

tcpdump shows:

7:11:08.564510 IP 187-4-1xx-4.xxx.ipd.brasiltelecom.net.br.54821 > my.host.com.http: S 999692166:999692166(0) win 65535 <mss 1452,nop,nop,sackOK>  
17:11:08.566347 IP 114-44-171-67.dynamic.hinet.net.1129 > my.host.com.http: S 605369055:605369055(0) win 65535 <mss 1440,nop,nop,sackOK>  
17:11:08.570210 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5590 > my.host.com.http: S 2813379182:2813379182(0) win 16384 <mss 1460,nop,nop,sackOK>  
17:11:08.571290 IP dsl-189-143-30-99-dyn.prod-infinitum.com.mx.1615 > my.host.com.http: S 281542700:281542700(0) win 65535 <mss 1452,nop,nop,sackOK>  
17:11:08.583847 IP dsl-189-143-30-99-dyn.prod-infinitum.com.mx.1617 > my.host.com.http: S 499413892:499413892(0) win 65535 <mss 1452,nop,nop,sackOK>  
17:11:08.588680 IP 170.51.229.112.2569 > my.host.com.http: S 2195084898:2195084898(0) win 65535 <mss 1460,nop,nop,sackOK>  
17:11:08.588773 IP gw2-1.211.ru.3180 > my.host.com.http: F 2315901786:2315901786(0) ack 2620913033 win 64240  
17:11:08.590656 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5614 > my.host.com.http: S 2813715032:2813715032(0) win 16384 <mss 1460,nop,nop,sackOK>  
17:11:08.591212 IP 203.82.82.54.15848 > my.host.com.http: S 4070423507:4070423507(0) win 16384 <mss 1400,nop,nop,sackOK>  
17:11:08.591254 IP 203.82.82.54.2545 > my.host.com.http: S 1790910784:1790910784(0) win 16384 <mss 1400,nop,nop,sackOK>  
17:11:08.591289 IP 203.82.82.54.28306 > my.host.com.http: S 578615626:578615626(0) win 16384 <mss 1400,nop,nop,sackOK>  
17:11:08.591591 IP gw2-1.211.ru.3191 > my.host.com.http: F 2316435991:2316435991(0) ack 2634205972 win 64240  
17:11:08.591790 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5593 > my.host.com.http: S 2813659017:2813659017(0) win 16384 <mss 1460,nop,nop,sackOK>  
17:11:08.593691 IP gw2-1.211.ru.3203 > my.host.com.http: F 2316834420:2316834420(0) ack 2629074987 win 64240  

I'm not sure what I can do to limit/mitigate this, currently no webpages are being served, any help gratefully appreciated.

Answer 1

I've managed to solve this, here is the solution in case it helps anyone:

netstat -an | grep :80 | grep SYN_RECV

This will show all the IP's that are in this attack, simply block this list in your firewall and the attack won't have any effect.(I use APF so it was just apf -d for every IP)

You may have to run this command a few times after you block the IP's as I think netstat is limited to the amount of IP's it shows, I had to run it a few times before the command showed no IP's.