Highest Voted 'syn' Questions - Server Fault Stack Exchange

9

votes

2 answers

tcpdump capture new connections only

I am using tcpdump to capture traffic from specific IP address. Is there the possibility to capture new connections only, meaning TCP streams that start with SYN packet?

tcp tcpdump syn

asked Aug 24 '16 at 06:53

Ania Katzenelson

91
1
1
2

9

votes

1 answer

No response to some SYN packets when timestamps are enabled

I have a TCP server listening on a machine ("the server") running Ubuntu 12.04.3 (kernel 3.8.0-31-generic). It receives connections from 2 different client machines. Machine A is running Ubuntu 12.04.4 (3.11.0-17-generic) and machine B is running…

tcp timestamp syn

asked Mar 20 '14 at 17:44

user133831

191
1
3

5

votes

3 answers

How to ban Syn Flood Attacks using Fail2Ban?

In my log, I am frequently seeing dropped ips like this: > Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT= > MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116 > DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212 > PROTO=TCP…

debian iptables firewall fail2ban syn

asked Oct 30 '14 at 13:39

Neel

1,421
7
21
35

5

votes

1 answer

every minute - possible SYN flooding on port 80

On our Linux server from time to time we get well known SYN flood message: possible SYN flooding on port 80 this is probably not an attack because website traffic is big. However from some time those messages began to come every ~60 seconds. What i…

flooding syn

asked Aug 20 '14 at 07:23

Nick

786
2
12
37

4

votes

3 answers

Lots of connections in SYN_RECV, not a SYN flood, is it some reflection attack?

Since at least a few months, issuing a netstat -t command on our web server, which has TCP ports 22, 80 and 443 exposed to the Internet, often reveals dozens of connections in SYN_RECV status: $ netstat -nt Active Internet connections (w/o…

networking tcp attacks syn

asked Aug 22 '19 at 14:32

Ale

1,613
17
25

4

votes

0 answers

TCP connection stuck in SYN_RECV state despite ACK received

My client and server are both internal machines. tcpdump on both client and server show all three parts of handshake are communicated, however netstat on server shows SYN_RECV, and on client shows ESTABLISHED. The server keeps sending a syn-ack as…

linux networking tcp connection syn

asked Nov 04 '14 at 19:38

Michael Yoon

41
1
3

4

votes

2 answers

98% cpu usage on ubuntu server running apache, site is unresponsive

I run a server with apache2 on an ubuntu box. It is a crypto mining pool. Everything was running normal even with the large inflow of people accessing our site. Then out of nowhere our cpu usage across all 8 cores is at 98 to 100% I use a reverse…

apache-2.2 ubuntu syn

asked Apr 02 '14 at 22:25

user3491412

41
2

4

votes

1 answer

problems simulating TCP SYN flood

I'm trying to simulate a TCP SYN flood to tune a web server (planning to deploy on AWS). I setup a 'target' VM, disabled iptables and running hping (hping -p 80 -i u1000 -c 1000 -S destaddr) from couple of local 'source' machines (filtering RST in…

linux security tcp ddos syn

asked Jun 20 '13 at 20:42

Alex I

81
3

3

votes

1 answer

TCP SYN cookies are always turned on when enabled?

For Linux kernel 2.6.32 if I set net.ipv4.tcp_syncookies = 1 will that be always used or only during a SYN flood attack? I found 2 sources which say the opposite. 1: "There are, however, two caveats that take effect when SYN cookies are in use.…

firewall tcp syn

asked Sep 30 '15 at 10:27

defiler

31
3

3

votes

3 answers

better alternative for tcp_syncookies in linux

In an effort to prevent DDOS attacks I followed suggestions to leave /proc/sys/net/ipv4/tcp_syncookies value set to 1 in my linux box to enable TCP syncookies. However, when I look at this URL:…

tcp connection ddos syn tcp-window-scaling

asked Jul 14 '15 at 02:26

user286228

3

votes

1 answer

Linux iptables - reject tcp SYN with RST

I am doing an implementation on a linux machine to reject incoming telnet requests from wan side telnet port 8023. The functionality is achieved by using the below iptables rules. The first rule in NAT prerouting chain to DNAT incoming tcp frames…

iptables tcp rst syn

asked Aug 22 '14 at 13:04

UserM

53
1
1
8

3

votes

1 answer

DDOS manual mitigation using command netstat. How to determine real attackers?

When my server is slow, I have been told to run this command and check if someone is making a request of SYN_RECV to slow down my server: netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort…

centos ddos netstat syn

asked May 19 '20 at 20:38

Kalib Zen

137
5

2

votes

1 answer

SYN packets never responded to with SYN/ACK

I'm having an issue with a tcp handshake that I can't find the answer to anywhere else. I have a program running on my local device that posts data to port 50000. In a terminal on the same machine, I use netcat to connect to the port. However, while…

iptables tcp syn

asked Jan 15 '19 at 20:01

Austin

41
6

2

votes

1 answer

Handle "possible SYN flooding on port 443. Sending cookies."

My website constantly has several users online all the time. The server uses Apache/PHP, database and Memcached. On normal use, the application works well and fast. However, the server appears to sometimes have "SYN flooding" attacks. I really…

apache-2.4 tcp ddos scalability syn

asked Jun 28 '16 at 22:20

Nuno

461
1
5
23

2

votes

1 answer

IPTABLES - block IPs that do not complete handshake/visit webpage

i am trying to figure out how to achieve something am not sure is achievable and need help. I did my research but couldnt find credible information. Hope this question is not duplicate. SET UP: I am using iptables as my firewall to block malicious…

iptables block syn

asked Apr 04 '21 at 12:52

baboon

21
4

Questions tagged [syn]