Results 1 to 7 of 7
Thread: syn-flood attack on port 80
-
05-30-2005, 04:07 AM #1Web Hosting Guru
- Join Date
- Jun 2002
- Posts
- 311
syn-flood attack on port 80
hello,
i am having a syn-flood attack on port 80, lots of spoof'd unique ip's sending only one request at a time. 2500+- request at a time. bandwidth is almost to the limit of 100Mbps.
what can be done by "me" to stop the attack or at least ease the traffic?
my server provider simply null-routed my ip for 6 hours, hope it will go away. unfortunately, it doesn't.
i've tried apf-antidos, tuning sysctl.conf. none helped.
Thank you.
-
05-30-2005, 04:40 AM #2Web Hosting Master
- Join Date
- Nov 2004
- Location
- India
- Posts
- 1,104
You need to install BFD and that will automatically add the attacking IPs in the apf. Both APF and BFD are deadly combination.
AssistanZ - Beyond Boundaries...
Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
-
05-30-2005, 04:43 AM #3Web Hosting Master
- Join Date
- Nov 2004
- Location
- India
- Posts
- 1,104
Also you can get the attacking IPs using the following command,
netstat -an | grep SYN
manually block them APF.AssistanZ - Beyond Boundaries...
Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
-
05-30-2005, 08:52 AM #4Web Hosting Evangelist
- Join Date
- Apr 2004
- Posts
- 500
What does
netstat -an | grep SYN mean actually
because even if i do
apf -d HOST CMT
and then
netstat -an | grep SYN
I still get at least 5 to 10 new and different ip's popping up, and i have installed both bfd and apf
-
05-30-2005, 09:24 AM #5Web Hosting Master
- Join Date
- Jan 2004
- Location
- /home/dislexik
- Posts
- 823
torwill have you tried using net.ipv4.tcp_syncookies ?
# sysctl -w net.ipv4.tcp_syncookies=1
Make sure you save the settings in /etc/sysctl.conf as well:
#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1"You don’t learn to hack, you hack to learn"
-
05-30-2005, 02:13 PM #6Web Hosting Guru
- Join Date
- Jun 2002
- Posts
- 311
i did a netstat -an, and there are 2000+ lines,
tcp 0 0 [my server ip]:80 [attack ip]:25490 SYN_RECV -
in these 2000 lines, each attack ip is different, no repeat.
syncookies, bfd, apf, apf antidos are alll installed. none helped.
thank you.
-
06-02-2005, 10:13 AM #7WHT Addict
- Join Date
- Feb 2005
- Posts
- 104
I really feel for you... DDoS TCP SYN Floods are unfortunately one of the worst attacks you can get... The thing is that you have to let the traffic in, as this is what your customers use you for...
Are the destination address of the SYN Packets an IP address or an FQDN (www.yourdomain.com)?
In the first case (IP Address), all you can do is to change the IP address of your server.
In the latter case (domain name), find out which domain the packets are hitting (Snort can help you with that) and remove the name servers of that domain.
Apart from that, providing enough capacity and bandwidth to deal with the requests are the only options (that I can immediately think about)...
Anyway, you hopefully got it solved by now anyway, but maybe this post can help someone else in the future...MP Hosting
http://mphosting.net