My Apache web-server on Linux is being flooded by massive requests for a non-existent file. The immediate impact is the rapid growth of the access & error log. I already took care of this by not logging these requests (if it matched the particular string.). We're talking about 40 to 50 requests per second from multiple IP addreses (for the same file).
I initially thought about it being a botnet but I believe it's some script-kiddie spoofing the source ip. I'm running iptables on the server and I was wondering, how these packets reached the application layer (the HTTP server) bypassing the TCP/IP initial handshake? If I have:
--Default Policy for INPUT chain is to DROP
<snip>
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<...>
<snip>
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
...shouldn't the SYN/ACK my server responds - after an initial connection request- be sent to the spoofed ip? And therefore lost? And if packets are crafted , as to appear to be from an established connection, shouldn'the state-tracking mechanism of netfilter handle this (via the RELATED,ESTABLISHED line above) and recognize them as not part of an established session and therefore DROPPING them (via the default policy: DROP)?
Thanks in advance, Craconia
p.d. the requests are coming from valid internet addreses.