3

One of my servers is under constant SYN DDoS attack. I have decided to setup fail2ban but as far as I can understand, that will only take care of the ssh login attacks. How can I stop these SYN DDoS attacks. I can't seem to find any particularly clear advice on stackoverflow or Google. A link would also suffice.

Thanks.

womble
  • 95,029
  • 29
  • 173
  • 228
recluze
  • 355
  • 8
  • 18
  • Do they attack only your SSH? In this case you can just change ssh server port. As for me, I also use port-knocking. If there is a web-server attack, this method can't be used... – HUB Jul 19 '11 at 15:45
  • Actually, I get that over my web server. – recluze Jul 19 '11 at 15:51
  • 2
    First, check that you have syn cookies enabled: "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" – HUB Jul 19 '11 at 16:20
  • If you find a solution to DDoS attacks, please e-mail me :D – Tie-fighter Jul 25 '11 at 13:23

1 Answers1

3

There isn't really a lot of upstream solutions to this problem -- unless you can identify some distinguishing characteristic of the traffic (say, the evil bit is set), your upstreams won't be able to filter out the traffic before it gets to you.

The good news is that, as long as you've enabled SYN cookies, a SYN flood isn't a particularly effective DDoS, and it's only risk is that it will fill your pipe. So, flip the bit if necessary (echo 1 >/proc/sys/net/ipv4/tcp_syncookies) and keep an eye on your bandwidth utilisation.

womble
  • 95,029
  • 29
  • 173
  • 228
  • This option is already set but the problem still persists. – recluze Jul 20 '11 at 09:53
  • What problem? If it's just that people are sending lots of SYNs at you, you can't stop that; if they're actually successfully SYN flooding your server, then you've got other problems, and some details about what's actually going on would be helpful. – womble Jul 20 '11 at 10:06