How to kill a stale tcp(LAST_ACK) connection? Options

[wht]

when I do 'netstat -n -o', I see there are lots of TCP connections with the status 'LAST_ACK'. They all come from the same IP address. I suspect that someone is hacking my server. How do I kill those connections?

Thanks!

[Guest_texasweb_*]

kill -9 #####

[Shortfork]

Originally posted by texasweb
kill -9 #####

That'll only work if there's a PID to kill.. which with the type connection he's seeing, I've had them with no PID there anymore..

From what I was told, the connection is not to worry, as it's just waiting for last close signal and it's not going to come.

BLOCK the ip and it will *eventually* go away. Rebooting would remove it but is pretty drastic.

Shortz

[wht]

Originally posted by Shortfork
From what I was told, the connection is not to worry, as it's just waiting for last close signal and it's not going to come.  

Shortz

It is true only when there are a few LAST_ACK tcp connection. But I see hundreds of them coming from the same IP. This could be a serious problem because the server will not have enough resource to service other legitimate connections.

Originally posted by Shortfork
BLOCK the ip and it will *eventually* go away. Rebooting would remove it but is pretty drastic.
Shortz

Is there any other way to do it? I know blocking the ip works, but what if that IP is not really attacking my machine?

[Shortfork]

Hummn. Not sure if there is any other way.. Track the ip, if it's coming form Europe or the asia pacific block.. nuke it.. or just nuke it for a while.. just add the line to at command line rather than in your script for the rules.. then flush and run your script again and see if it comes back..

Are there any active connections from this ip or just the dead ones?

ShortzShrek