3

I am getting a synflood on my server port 80 and i cannot stop it. first i got tables full then i disabled iptables to find out that its a synflood 

netstat -n | grep :80 |wc -l
#returns 1300 - 2000 
netstat -n | grep :80 | grep SYN |wc -l
#returns around 250

the IPs are coming from everywhere so i suppose its spoofed. when i put in different iptable rules it either doesnt do anything or just drops all connections even the normal ones

this is my sysctl -p

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

what can i do? i am at 1and1 and i dont think they will put in TCP intercept for me which i heard is the best solution. what is really the best solution?

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444

2 Answers2

1

Check if the packets have a distinguishing feature, for instance, all being the same size.

Usually with scripted SYN floods, they send out a "bare" packet with just the header and no payload. It ends up being a 40-byte packet (if I remember right).

If that's the case, you can simply strip all those out with iptables, since no "normal" packets look like that.

Oh and get ready for a flood of useless advice from people who don't really understand how SYN-floods actually work.

DictatorBob
  • 1,614
  • 11
  • 15
  • Smart post, but -1 for the 'useless advice comment'. I don't like to subtract points but I think that really isn't in the spirit of this site. If you remove that, I will remove the -1 and this comment. – Kyle Brandt Oct 27 '09 at 19:16
  • 1
    You're absolutely right, my snarky reply was unnecessary. It's based on having had to deal with a number of SYN-floods back in the bad old days, with numerous "experts" offering ridiculous advice because they just didn't get it. I agree that it's not particularly productive. But I'll take the -1, and suggest we leave these comments, all in the interest of educating other grumpy admins like me.. :) – DictatorBob Oct 27 '09 at 19:48
  • 1
    Fair enough :-) It is not that is really that bad, it is just sarcasm is a slippery slope on internet forums (/server irc.freenode.net ...) :-) – Kyle Brandt Oct 27 '09 at 19:54
  • thx Kyle... i will look into this. i am learning a lot about packets to understand this. I just installed DDoS Deflate while waiting for an answer here and it seems to have helped. i just hope it doesnt block any regular users. If DDos deflate does more than i want it to i will put in a new filter –  Oct 27 '09 at 20:36
  • @SomeGuy you should give an example of intercepting an invalid/small packet in IPTables. – Xeoncross Jan 19 '15 at 03:09
1

You just need to enable syncookies, and I've seen that you've already did it:

sysctl -w net.ipv4.tcp_syncookies=1

Then you can tune your OS TCP/IP stack to free system resources quicker on unused/closed sockets.

My settings:

# tunning tcp stack
sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_window_scaling=0
sysctl -w net.ipv4.tcp_sack=0
sysctl -w net.ipv4.tcp_timestamps=0

sysctl -w net.ipv4.ip_conntrack_max=524288
sysctl -w net.ipv4.tcp_syncookies=1

sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# buffering
sysctl -w net.core.wmem_default=229376
sysctl -w net.core.wmem_max=229376

You can tune your Apache too, especially turn off KeepAlive and set a lower Timeout value:

Timeout 5
KeepAlive Off

When dealing with a lots of connections, it helps to use a web server la Nginx, Lighttpd, ... they start one single process and they allocate just a small amount of memory for each connection, Apache it's allocating one process to each connection.

vitalie
  • 502
  • 2
  • 5