2

I have a server (2 x E2620, 32 GB RAM, Debian 6 Linux us-fw 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 GNU/Linux, 10G Intel Ethernet Card). It has an Nginx proxy server inside. Idea is to use it as a frontend against DDoS attacks. Currently, if faced to a 500kpps spoofed SYN flood, it becomes almost unresponsive. I've already tried syncookies and various sysctl parameters. Even if a half-open connection timeout is 1 second, it is enough to fill up any buffers. Any ideas how to harden it against spoofed syn floods? Maybe, some hardcore configs or fw rules?

Sergey Lensky
  • 21
  • 1
  • 2
  • 2
    There's little you can do, locally. All traffic would have to pbe processed to separate out legitimate packets from the spam, you can minimise the amount of processing if the spam is readily identifiable at a low level, which might be enough, but if you're getting hit hard enough, then you're stuffed anyway. You need to stop the traffic reaching your network at all. Talk to your upstream ISP or investigate CDNs like Akamai, Cloudflare et al. – SmallClanger Apr 19 '13 at 16:06

1 Answers1

2

iptables has various matches to limit the number of connections allowed for a host using.

By limiting the number of allowed connections, you can mitigate the impact of the DDoS attack.

  • Using hashlimit:
$ iptables -A INPUT -i eth0 -s any/0 -d IP.AD.DR.ESS/32 -p tcp --syn --sport 1024: --dport 80 -m hashlimit --hashlimit-name http-flood --hashlimit-mode srcip --hashlimit-upto 5/s

This will allow each new hosts to open 5 connections per second.

  • Using connlimit:
$ iptables -A INPUT -i eth0 -s any/0 -d IP.AD.DR.ESS/32 -p tcp --syn --sport 1024: --dport 80 -m connlimit --connlimit-saddr --connlimit-upto 5

This will allow each new hosts to open up to 5 parallel connections.

However keep in mind that as your are looking at the source IP address, this can have a huge impact on people behind a NAT.

You can try and play to find out a correct limit value.

Enabling syncookie is also a good idea.

Spack
  • 1,594
  • 13
  • 22
  • Thanks, but that's all good regarding simple SYN floods, but question is about spoofed SYN floods. It's pointless to shape forged IPs, neither to block them. – Sergey Lensky Apr 19 '13 at 17:05
  • You cannot really know whereas an IP address is spoofed or not. The only option is to limit your resources access. Spoofed or not, by limiting, you prevent your server to be under heavy loads. – Spack Apr 19 '13 at 17:51
  • If I get packets from 10 million different IPs in 10 minutes, they're spoofed for sure. If I limit resource access, server load goes away, but legitimate visitors go away as well. – Sergey Lensky Apr 19 '13 at 20:05
  • Your website may just have encountered a huge success. What's looking more like a SYN packet than a SYN packet? How to filter good from malicious? You can try to establish an attack signature with monitoring tools but you need to have control over the network and cut short as fast as possible. If you only have one web server by the time the attack reach it, it's already too late. The other way to mitigate is to spread the attack over many server with horizontal scaling and make your bandwidth way bigger than the attack flow. – Spack Apr 19 '13 at 21:00
  • I have no problem with bandwidth, but with PPS. Surprisingly, 400kpps are enough to stop things from doing well, compared to "normal" non-spoofed SYN, it it takes 10x more processing power with the same pps to handle. Could you please tell any examples of a spoofed syn signature? – Sergey Lensky Apr 19 '13 at 23:59