0

My dedicated server can't handle more than 4Mbits/s of bandwidth. After that, the server don't ping anymore. My provider told me it's because my server isn't well configured.

When I look in the logs (syslog), I see that it's probably a syn flood on the port 8085. So I configure iptable to limit the connexion number per IP

iptables -I INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset

and

iptables -A INPUT -p tcp --dport 8085 -m state --state NEW -m recent --name BLACKLIST --set iptables -A INPUT -p tcp --dport 8085 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP

I activated syn cookie :

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

To be sure, I installed fail2ban. But there isn't a huge trafic on this port...

Any idea ? Thank you

EEAA
  • 108,414
  • 18
  • 172
  • 242
Thomas K
  • 101
  • 1
  • 2
  • What service is running on this port ? What are the log lines you're talking about ? Could you handle more than 4mbits before the syn flood began ? I guess it is not permanent. What does ethtool say ? Can you test bandwidth with a local network ? Have captured some traffic using tcpdump ? – zecrazytux Jan 18 '13 at 20:01
  • It's a home-made service. When I talk about log, it's syslog. I didn't capture some traffic – Thomas K Jan 18 '13 at 20:43

2 Answers2

0

Against syn flood, you'd better using an iptables line such as iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

This will put a quota on number of syn per sec. Out of quota syn being then dropped.

Heis Spiter
  • 598
  • 7
  • 17
  • How may I be sure that it's really a syn flood ? – Thomas K Jan 18 '13 at 19:54
  • Some tools like Snort help you monitor your network. And they can display stats about the number of Syn vs Ack. If syn is too high compared to ack, then, you're likely to be under syn flood. – Heis Spiter Jan 18 '13 at 20:06
0

First of all I would recommend you to do a package capture, just to figure out what is going on at the network. This will also provide you with some numbers for how many connections the server is getting, and where the connections are coming from. This should help you figure out if you are under attack, and what limits might be fitting to set up in IPTables, if you need to set up any.

Have you experienced greater bandwidth to the server previously? 4 Mbit/s is really low and I am thinking you could be experiencing a driver issue instead, which leads to the problems you are experiencing.

Jeppe Fihl-Pearson
  • 46
  • 2