This command will display all current SYN_RECV connections:
netstat -tuna | grep SYN_RECV
and to count them:
netstat -tuna | grep SYN_RECV | wc -lTo block on the firewall all IPs that are sending multiple SYN_RECV connections first display the number of connections per IP:
netstat -natp | grep SYN_RECV | sort | awk '{ print $5 }' | sort | cut -d ":" -f1 | uniq -cIf there are multiple connections per IP, you can block them easily using the following script:
#!/bin/bash
netstat -natp | grep SYN_RECV | sort | awk '{ print $5 }' | sort | cut -d ":" -f1 | uniq -c | awk '{if ($1>100) system("iptables -I INPUT -s "$2" -j REJECT")}'
END
