Idle connections on a firewall

[Matt Shields]

One of my networks has a pretty high amount of sustained traffic due to we
host a lot of domains (as high as 850k connections per second ~60Mbits/sec
average).  Over the years we've seen a lot of DDOS traffic that opens a port
and just holds open the connection.  We've come up with quite a few custom
scripts that run on the firewall (linux/iptables) to use tcpdump to analyze
the traffic and tell us what IPs are causing the most traffic to hit us ased
on packet size, as well as another script that can tell us which domain is
getting hit the most.  But is there a way using tcpdump (or another tool) to
show what the idle connections are? I realize that tcpdump is made for
inspecting the packets of traffic and new connections, and in this case it's
just someone opening a port and keeping it open.

Second question, once I have a list of these IPs and ports, is there an way
to drop that connection without affecting all the other valid traffic.  I
just want to close that one connection.

-matt
http://www.sysadminvalley.com
http://www.beantownhost.com
http://www.linkedin.com/in/mattboston
Joan Crawford<http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
- "I, Joan Crawford, I believe in the dollar. Everything I earn, I
spend."