Results 1 to 35 of 35
  1. #1

    DDOS again n again!

    Hi,

    ok to detect a ddos attack you should look for SYN_REC in netstat.. now what exactly is SYN_REC?? and why should an IP request it ?? and is there a way to disable it completely?

    I'm running a single site on a single server .. it's a vbulletin forum.. should this site need this SYN_REC ?? if I disable it completely it will not affect it??

    Thanks..

  2. #2
    Join Date
    May 2013
    Location
    India
    Posts
    748
    Sync_receiv is the part of TCP protocol's handshake procedure..you cannot disable it. Rather than that you can enable syn flood attack protection. If you have CSF installed, adjust the following directives.

    Code:
    SYNFLOOD = "1"
    
    SYNFLOOD_RATE = "30/s"
    
    SYNFLOOD_BURST = "10"

    Add the following line to the /etc/sysctl.conf file to make make it persist across reboots:

    net.ipv4.tcp_syncookies = 1

    Also enable syn cookies by running the following command

    Code:
    sysctl -w net.ipv4.tcp_syncookies=1
    sysctl -p
    You may want to increase the SYN back log queue as well by adjusting net.ipv4.tcp_max_syn_backlog sysnctl directives.
    Last edited by nixtree; 11-17-2013 at 09:17 AM.

  3. #3
    Join Date
    May 2012
    Location
    India
    Posts
    1,026
    If you receive an higher amount of DDOS, the software firewall is of very little help. I would recommend move the domain to CloudFlare where it have some level of DDOS protection and also change the server Ips.

  4. #4
    Join Date
    Jan 2002
    Location
    USA
    Posts
    4,548
    Quote Originally Posted by kevincheri View Post
    If you receive an higher amount of DDOS, the software firewall is of very little help. I would recommend move the domain to CloudFlare where it have some level of DDOS protection and also change the server Ips.
    CloudFlare is practically useless for DDoS, as they'll just pass it directly onto you if large enough. I've not tried their $200/mo plan, but had their $25/mo plan (but also had regular DDoS filtering to) and within 24 hours got an email that they were disabling CF due to a 'large HTTP flood' (or something).

    Best get proper DDoS filtering if it's an issue. I've got two VPSes with DDoS filtering, one from BuyVM and one from RamNode. I operate a website that is a target of such attacks and their cheap filtering via CNServers is quite good for the price.

    Alternatively, you may wish to look into products such as X4B, who has filtering options for different locations and may be a good option for the OP.

    Best of luck.
    vpsBoard - An active resource for all things Virtual Private Servers. Tutorials, Guides, Offers and more!
    Come join the conversation! 90,000 posts and growing daily! The fastest growing hosting forum around!

  5. #5
    Join Date
    Jul 2013
    Posts
    296
    You should have server or hosting from where datacenter offer your real protection.

  6. #6
    configure( LF_NETBLOCK, SYNFLOOD, CT_LIMIT ) in csf and also use / configure CDN like cloudflare which is also helpfull in preventing DOS attacks

  7. #7
    Join Date
    Jul 2013
    Posts
    296
    cloudflare can help you if you buy its plan for $200/M and it normal plan dont have ddos protection. Search for hosting with ddos protection.

  8. #8
    Join Date
    Nov 2013
    Posts
    103
    Quote Originally Posted by ballighohosting View Post
    now what exactly is SYN_REC?? and why should an IP request it ??
    You run a hosting related business, at least you claim to, but have no clue how the core of your business - the network - works? Wow...

  9. #9
    As mentioned above, if the attack is larger than what your firewall can handle, you need to either upgrade or consider external help. Mind you, SYN Floods are just one of several "types" of attacks you may be a victim of. UDP being the cheapest and most common usually eats up your entire bandwidth, so you have to consider that kind of expense too. CF can be good for mitigating UDP floods - they use their distributed structure to absorb it, but when it comes to mitigating L7 attacks (such as HTTP/HTTPS Get Floods) they're not going to help you a lot.

  10. #10
    Join Date
    Nov 2010
    Location
    San Francisco, CA
    Posts
    899

    Post

    [QUOTE=MannDude;8916949]CloudFlare is practically useless for DDoS, as they'll just pass it directly onto you if large enough. I've not tried their $200/mo plan, but had their $25/mo plan (but also had regular DDoS filtering to) and within 24 hours got an email that they were disabling CF due to a 'large HTTP flood' (or something)."

    We only provide unlimited protection for a DDoS protection on a Business or Enterprise tier of service for a domain.
    CloudFlare Community Evangelist

  11. #11
    You need to upgrade to their $200 per month plan like cloudflare just suggested. DDoS attacks are $$$
    Hosting And Designs L.L.C. Since 2002 --> http://www.hostinganddesigns.com/HD/
    Tech Blog: http://www.hostinganddesigns.com/Blog/
    Sales: Lars A Jensen. Direct: 503-999-7518 9am-5+pm

  12. #12
    Join Date
    Jul 2013
    Posts
    296
    it is $200 but is good.

  13. #13
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    You can't just disable SYN - it is required to establish a full TCP connection. As others suggested, you can try using something like CSF to block these floods and enable syncookies in your kernel settings. However, this won't help against any real attacks (ie. larger ones). It would be your best bet to either get a remote DDoS protection from one of the various providers around here or move your hosting to a DDoS protected datacenter.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  14. #14
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Well technically you can disable anything you want

  15. #15
    try using nginx and tune the system to support and block SYN flood. you can install csf for this and tune the network settings on linux.

  16. #16
    Join Date
    Jul 2013
    Posts
    296
    there are more companies in ddos protection field can help you. just search google.

  17. #17
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    @IRCCo Jeff, Well, by "can't" I rather meant "shouldn't". If the OP is running a website, no one would be able to connect to it if he blocks all SYN packets.

    Oh and btw it would also be a good idea to limit the SYN/ACK retries in your kernel settings in addition to enabling syncookies, such as:

    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_syn_retries = 1
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  18. #18
    there is not necesarry to get a ddos protected server for syn attacks.. SYN attacks are generally easy to block, but are you sure it's a SYN attack? it could be another Layer 7 attack... me recommandation is to use nginx and try to block it. if not, try searching a ddos protected vps.

  19. #19
    Join Date
    Jul 2013
    Posts
    296
    if you need ddos protected vps, the best choice is Blacklotus, try their VPS.

  20. #20
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    Quote Originally Posted by 5gbps View Post
    there is not necesarry to get a ddos protected server for syn attacks.. SYN attacks are generally easy to block, but are you sure it's a SYN attack? it could be another Layer 7 attack... me recommandation is to use nginx and try to block it. if not, try searching a ddos protected vps.
    Why do you keep recommending NGINX if the OP is asking about SYN flood? SYN is handled by the kernel's network stack and the NIC, not by the web server. And yes, it's possible to harden Linux servers to a degree where they can absorb attacks of ~3-400k PPS or even more, but that depends on the exact type of attack and also on your NIC.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  21. #21
    Generally server NICs can handle many hundreds of kpps. Of course there is necesarry to harden network settings in linux to handle better SYN attacks. SYN attacks are half open connections and if are not filtered, the packets reach the webserver. A default apache configuration can handle up to 100 simultaneous connections.. Nginx can handle much more without high load.

  22. #22
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by MannDude View Post
    CloudFlare is practically useless for DDoS, as they'll just pass it directly onto you if large enough. I've not tried their $200/mo plan, but had their $25/mo plan (but also had regular DDoS filtering to) and within 24 hours got an email that they were disabling CF due to a 'large HTTP flood' (or something).
    Their $200/month plan is actually very good, it's one of the best ones we have used to date (and our customers have used almost all of the major ones). It's filtered every attack to date.

    The only problem with cloudflare is they do have frequent outages (Atleast one a month) and you have no way to "bypass" them as you must use their nameservers (a reason we don't use them more than we actually do). The only saving grace is they are mostly localized outages/issues for specific regions but still they are not the answer if you require uptime.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  23. #23
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    Quote Originally Posted by 5gbps View Post
    Generally server NICs can handle many hundreds of kpps. Of course there is necesarry to harden network settings in linux to handle better SYN attacks. SYN attacks are half open connections and if are not filtered, the packets reach the webserver. A default apache configuration can handle up to 100 simultaneous connections.. Nginx can handle much more without high load.
    This is not true. The TCP handshake happens on kernel level and only a fully established TCP connection then turns into a HTTP connection if the web server is targeted. SYN packets are only the beginning of a TCP handshake and therefore don't affect HTTP or your web server. Anyone with basic knowledge about networking can confirm this (such as @IRCCo Jeff or @reto who knows this stuff well). In case of a HTTP connection it would go like this: Client sends SYN, server sends SYN-ACK to client, client sends ACK, TCP handshake is complete and HTTP connection is being established.

    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  24. #24
    Quote Originally Posted by infinitnet View Post
    This is not true. The TCP handshake happens on kernel level and only a fully established TCP connection then turns into a HTTP connection if the web server is targeted. SYN packets are only the beginning of a TCP handshake and therefore don't affect HTTP or your web server. Anyone with basic knowledge about networking can confirm this (such as @IRCCo Jeff or @reto who knows this stuff well). In case of a HTTP connection it would go like this: Client sends SYN, server sends SYN-ACK to client, client sends ACK, TCP handshake is complete and HTTP connection is being established.

    yes this is true, but generally attacks targeting webservers are not only SYN attacks. that why I asked if he is sure that it is simple SYN or maybe GET/POST/Slowloris or other attack type. Layer7 attacks targeting webservers are very easy to mitigate using nginx. Of course high-end ddos protection mitigate those attacks at firewall level and attacks doesn't reach the servers.

  25. #25
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    The OP neither said that the attack is targeting his web server, nor are layer 7 attacks as common as SYN or UDP floods (by far).
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  26. #26
    No, but he said he has a vbulletin hosted and asked how to block SYN. That's why I thought it's an attacked vbulletin website. From the question itself "how to block SYN" I could notice that the OP has no experience with this kind of problems. Generally webserver targeted attacks are not simple SYN. That's why I gived him some tips on how to block webserver targeted attacks (not only SYN).

  27. #27
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    Quote Originally Posted by 5gbps View Post
    No, but he said he has a vbulletin hosted and asked how to block SYN. That's why I thought it's an attacked vbulletin website. From the question itself "how to block SYN" I could notice that the OP has no experience with this kind of problems. Generally webserver targeted attacks are not simple SYN. That's why I gived him some tips on how to block webserver targeted attacks (not only SYN).
    And how exactly does using NGINX block GET or POST floods for instance? It doesn't. The only attack it may be helpful against out of the box would be Slowloris, but there are also Apache patches/modules for this. And no, most attacks on web servers do not include the application layer. From our experience maybe 10% of the attacks on web servers are actual layer 7 floods, everything else is booters (DNS amplification) or mixed UDP, SYN, ACK, ICMP floods. Anyway, I'm ending this discussion here.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  28. #28
    NGINX doesn't block attacks, but can handle large number of requests and is harder to make it not accept new connections.

  29. #29
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    And how exactly does this help if PHP/MySQL is overloading your server in case of layer 7 floods? I'm not saying it's not possible, I'm just saying it's not possible out of the box and by just installing/using NGINX, as you suggested.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  30. #30
    I just gived the most easy solution that can be applied without costs. The hacker who is attacking that server, most probably have no big resources for that attack if he is sending SYN or Layer7 attacks, so nginx would solve the problem. Why to invest in expensive DDoS protection if you can block that small attack with no cost with just installing nginx and tuning couple configs on the system?

  31. #31
    Join Date
    Nov 2013
    Posts
    103
    Wow, look at all the sigs in this thread. It's advertisement-o-rama! If only there were any meaningful posts among all the flashing signs.

  32. #32
    Laffs out loud , in a way both are right because they are talking about different things.

  33. #33
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by wndml View Post
    Wow, look at all the sigs in this thread. It's advertisement-o-rama! If only there were any meaningful posts among all the flashing signs.
    Indeed; I was trying to work out why we were even discussing how to defend against SYN attacks when the tcp_syncookies setting is an almost complete defence. (Haven't had enough sleep; am I missing something here??)

    FYI folks - when you have tcp_syncookies enabled, the kernel stops using fixed SYN tables and instead effectively sends back a "cookie" in response to the SYN request. Responding correctly to this cookie then opens an actual connection. This means it's impossible to fill up the SYN table with half-open connections that never complete, which is what a SYN attack does.

    Apologies for wasting the time of those who actually knew this, but based on the demonstrated knowledge levels thought it might help

  34. #34
    Join Date
    Feb 2002
    Location
    South California
    Posts
    333
    Nginx will handle quite a bit of traffic without a problem. So will Varnish. Syn cookies are effective against spoofed syn floods. They are not effective against a syn flood from legitimate sources. However, spoofed syn floods will often overwhelm your server because the server is not setup to handle the high rate of throughput. Most servers won't handle beyond a hundred thousand pps. This is because the kernel based algorithm to handle cookies is fairly slow.

    Code:
            __u32 *tmp = __get_cpu_var(ipv4_cookie_scratch);
    
            memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
            tmp[0] = (__force u32)saddr;
            tmp[1] = (__force u32)daddr;
            tmp[2] = ((__force u32)sport << 16) + (__force u32)dport;
            tmp[3] = count;
            sha_transform(tmp + 16, (__u8 *)tmp, tmp + 16 + 5);
    The memcpy() and sha_transform() will overwhelm your CPU before reaching any reasonable rates.

    The next component is your interrupt handling at your NIC. Some NICs handle 1 packet:1 interrupt. You'll want one with polling to limit your interrupts.

    TCP interception is a routed mechanism for syn cookie based syn flood mitigation. It's available in quite a few hardware appliances and is also available by cloud based mitigation providers. Any enterprise solution like this will handle quite a bit more than your server.

    Cloudflare is more of a CDN than a dedicated DDoS mitigation network. This is how they market themselves.

    I recommend you:
    • make sure your NIC is polling interrupts
    • turn on cookies
    • add a local firewall to detect and stop repeat connections
    • use nginx


    Alternatively, you can look for a cloud based mitigation provider. In that case, I recommend:
    • make sure the provider has multiple locations
    • ask if the provider depends on off-the-shelf low end appliances or develops their own high performance system


    Good luck with your search.
    Matt Mahvi
    Staminus, Infrastructure DDoS Protection and Appliances
    @ 200+ Gbps global ddos mitigation network. Local or Remote. Proxy, GRE, and direct cross connects.
    @ Available in Amsterdam, New York, Los Angeles and Orange County. Anycast BGP.

  35. #35
    Join Date
    Oct 2013
    Location
    Pennsylvania
    Posts
    92
    @toro (Matt) Wins and I'm sold. Thanks Toro for the explanation.

Similar Threads

  1. Replies: 0
    Last Post: 08-24-2013, 06:33 AM
  2. Replies: 5
    Last Post: 07-15-2013, 07:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •