Heres a bash script I made to stop SYN attacks on your server you need root,


#!/bin/bash



/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp



rm /root/.dyn*



echo "Setting kernel tcp parameters to reduct DoS effects"



#Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time

echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog



#ANTISPOOFING

for a in /proc/sys/net/ipv4/conf/*/rp_filter;

do

echo 1 > $a

done



##

#NO SOURCE ROUTE

for z in /proc/sys/net/ipv4/conf/*/accept_source_route;

do

echo 0 > $z

done

#SYN COOKIES

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians



# NUMBER OF CONNECTIONS TO TRACK

echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max



# Set default policies

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD DROP



/sbin/iptables -F

/sbin/iptables -F INPUT

/sbin/iptables -F OUTPUT

/sbin/iptables -F FORWARD

/sbin/iptables -F -t mangle

/sbin/iptables -X



/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT



/sbin/iptables -A INPUT -i eth0 -j ACCEPT



/sbin/iptables -A INPUT -m state --state INVALID -j DROP



### chains to DROP too many SYN-s ######

/sbin/iptables -N syn-flood

/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN

/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "

/sbin/iptables -A syn-flood -j DROP

---------------------------------------------------------
call it syn.bash and then excute it, also replace /sbin/iptables to the path of the iptables program

can you tell me in detail ? where can i add this script ?

copy all of this make a file called, syn.bash then type bash syn.bash and it should excute the file and set it up

Thank you for replies:
After i ran that file, i got this msg:


root@host1 [~]# bash syn.bash
: command not found
modprobe: Can't locate module ip_tables
modprobe: Can't locate module ip_conntrack
modprobe: Can't locate module ip_conntrack_ftp
: command not found
rm: cannot lstat `/root/.dyn*\r': No such file or directory
: command not found
Setting kernel tcp parameters to reduct DoS effects
: command not found
: No such file or directorys/net/ipv4/tcp_fin_timeout
: No such file or directorys/net/ipv4/tcp_keepalive_time
: No such file or directorys/net/ipv4/tcp_window_scaling
: No such file or directorys/net/ipv4/tcp_sack
: No such file or directorys/net/ipv4/tcp_max_syn_backlog
: command not found
'yn.bash: line 19: syntax error near unexpected token `
'yn.bash: line 19: `for a in /proc/sys/net/ipv4/conf/*/rp_filter;

so...how can i fix this error ? I'm running Red Hat Enterprise Version 3 !
Thank you so much !

Originally posted by Dogtanian
Heres a bash script I made to stop SYN attacks on your server you need root,


#!/bin/bash

# Set default policies

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD DROP



/sbin/iptables -F

/sbin/iptables -F INPUT

/sbin/iptables -F OUTPUT

/sbin/iptables -F FORWARD

/sbin/iptables -F -t mangle

/sbin/iptables -X



/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT



/sbin/iptables -A INPUT -i eth0 -j ACCEPT



/sbin/iptables -A INPUT -m state --state INVALID -j DROP



### chains to DROP too many SYN-s ######

/sbin/iptables -N syn-flood

/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN

/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "

/sbin/iptables -A syn-flood -j DROP

---------------------------------------------------------
call it syn.bash and then excute it, also replace /sbin/iptables to the path of the iptables program

I think the only part actually helping to "stop SYN attacks" is this:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

And it's not using iptables.

Your actual iptables rules don't do anything, because you're not actually sending any traffic to your syn-flood chain. Nice try though.

There is allot of code exactly similar out on the net claiming to stop syn floods but sadly it not as easy as simply filtering SYN state packets cause most syn-floods are obfuscated with SYN + other flags set. If any other flag is set beyond the standard SYN then iptables wont recognize it as 'standard' syn packet and youl need to use state rules to make an appropriate rule.

The invalid state chain is nice too but again you should break it down to each state patterns and make specific rules as the invalid chain for state module is just generic small set of common invalid states.

Bottom line; running this will give you no better protection and may even lessen protection; while using firewalls such as Shorewall, APF, KISS, etc...

Likewise it only takes about 5 syn packets a second to flood the average web server to the point it run out of connections (5*30 [1800msec] equals roughly 150 http connections held open/denied valid use - in 30 seconds). The problem with syn floods is it takes so little resources and so few syn packets to overflow Web servers.

My biggest recommendation is a good firewall as noted above and apache tweask. Set timeouts below 200, set keep alives unlimited and keep alive timeout to 15 seconds (lower conn timeout higher keep alive); increase max connections and double the min/max spare servers (min 16, max 32 start, start 18).

Likewise there are new kernel features such as the sysctl overflow capability that can be used to battle syn attacks but the bottom line is - a burst based chain rule in iptables will not be a solution nor make a difference.

Nonetheless good efforts.

Actually, I posted a few iptables command lines that will drop INVALID SYN packets -- sometimes used to flood the server/box...

http://www.webhostingtalk.com/showthread.php?s=&threadid=363499