Added README.txt

1 files changed, 30 insertions, 0 deletions

diff --git a/README.txt b/README.txt
new file mode 100644
index 0000000..30e52ed
--- /dev/null
+++ b/README.txt
@@ -0,0 +1,30 @@
+These are tools I use for managing things on servers. 
+
+block		-	Block an IPv4 address.
+unblock		-	Unblock an IPv4 address.
+theDrain	-	Watch, log, and help mitigate SYN floods.
+
+theDrain must not be your first line of defence against a SYN flood. There are
+much better mitigations such as SYN cookies and various other sysctl settings.
+theDrain is intended for watching, logging and IP blocking large offenders to
+lighten the load and stop the sending of wasted SYN_ACKS. Blocking only happens
+if run ar root. 
+
+Care must be taken to set the $max_ho variable to a value that is sane for
+your server and will not catch too many innocents making heavy but normal use
+of the system. The current default is one that worked well on the more used of
+the 2 servers that this was written for,
+ 
+theDrain is also not good at catching highly distributed attacks. Again it must
+not be you firstline of defense. It is however very good at letting you see the
+IP addresses involved and then manually blocking them should you choose to
+using the net block retrieved from whois in CIDR format. 
+For example if you saw a lot of 117.221.1x.xx numbers you could do a whois on 
+one of them, 
+
+Lets say 117.221.14.131. 
+
+You can see from the: % Information related to '117.221.0.0/20AS9829'
+that the net block in question is: 117.221.0.0/20. Often
+there is a CIDR: line with this info also.
+