Trying to understand anti TCP SYN flood attack IPTables rule

I’m currenlty working on a university assignment. I’m learning about firewalls and I need to configure IPTables on a Ubuntu machine to prevent a TCP SYN flood attack.

I understand that this type of attack consists in sending a server a great number of SYN requests without then following with an ACK after its SYN-ACK response, resulting in the server waiting and therefore wasting its resources.

Looking of the Internet I found this IPTables rule on multiple web sites:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

I cannot understand how this entry should prevent the attack. I’m interpreting it as “Drop any new TCP connection without a SYN flag.” Am I missing something?

frank_volpi

Posted 2016-11-23T02:18:48.280

Reputation: 3

perhaps you could try to use the "unclean match" or "limit match" switch. e.g. iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT – Tech-IO – 2016-11-24T20:02:14.033

Answers

That iptables rule will not prevent SYN flood attacks. As you say, it will drop any new, non-SYN TCP packets. It will only accept new TCP connections which include a SYN packet.

To prevent SYN flood attacks using iptables, you would need to employ rate limiting.

Mark Riddell

Posted 2016-11-23T02:18:48.280

Reputation: 652

Thank you for your help. What the articles I had read were referring to is still a mistery but at least I could find a IPTables rule based on rate limiting to include in my assignment! – frank_volpi – 2016-11-24T22:13:38.150

-3

Synflood is a so outdated technique like winnuke. Linux kernel includes its own protection (net.ipv4.tcp_syncookies) since 1999(!), so your only job is to enable it with sysctl - but this is default for a long time.

sysctl net.ipv4.tcp_syncookies=1

Ipor Sircer

Posted 2016-11-23T02:18:48.280

Reputation: 3 578

The question is specifically asking for a clarification on a well known IPTables rule to prevent SYN floods, not an alternative method of preventing SYN floods. – JakeGould – 2016-11-23T02:43:38.753

This is the recommended method since 1999, so using iptables is pointless. If it was a well known rule, then he has already found it via searching internet. – Ipor Sircer – 2016-11-23T02:53:01.153

Please read the question again: “I'm currenlty working on a university assignment. I'm learnig about firewalls and I need to configure iptables on a ubuntu machine to prevent a TCP Syn flood attack.” The assignment focuses on firewalls and asks for an explanation as to how that IPTables rule works. It is not asking for an alternative method. – JakeGould – 2016-11-23T03:00:23.100

SYN flood is outdated? Huh. So it's not used as a key part of the Mirai botnet which was responsible for a 620 Gbps attack on Krebs website or the 1.2 Tbit/s attack on Dyn? Yeah, sounds pretty trivial like winnuke to me.

– Mark Riddell – 2016-11-23T20:31:22.453

I understand you are passionate about the topic but I have to turn in the assignment today and still have no clue why that IPTables rule should prevent the attack. – frank_volpi – 2016-11-24T14:51:28.997