The following 3 statements
# Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them. $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# DDoS $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --set $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --update --seconds 60 --hitcount 10 -j DROP
seems to work and to help here ata fast Tor relay. CPU went down from 109% to 95%. There're 500 connections less than before for a Tor fast relay.
The /proc/net/xt_recent/synflood is quickly filled. Unfortunately I cannot change the "ip_list_tot" of "xt_recent" b/c I do use a non-modular kernel. Does anybody knows a circumvention?
Are there any objections against this approach? -- Toralf