Results 1 to 7 of 7
  1. #1

    syn-flood attack on port 80

    hello,

    i am having a syn-flood attack on port 80, lots of spoof'd unique ip's sending only one request at a time. 2500+- request at a time. bandwidth is almost to the limit of 100Mbps.

    what can be done by "me" to stop the attack or at least ease the traffic?

    my server provider simply null-routed my ip for 6 hours, hope it will go away. unfortunately, it doesn't.

    i've tried apf-antidos, tuning sysctl.conf. none helped.

    Thank you.

  2. #2
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,104
    You need to install BFD and that will automatically add the attacking IPs in the apf. Both APF and BFD are deadly combination.
    AssistanZ - Beyond Boundaries...
    Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
    Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development

  3. #3
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,104
    Also you can get the attacking IPs using the following command,

    netstat -an | grep SYN

    manually block them APF.
    AssistanZ - Beyond Boundaries...
    Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
    Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development

  4. #4
    Join Date
    Apr 2004
    Posts
    500
    What does
    netstat -an | grep SYN mean actually

    because even if i do
    apf -d HOST CMT

    and then
    netstat -an | grep SYN

    I still get at least 5 to 10 new and different ip's popping up, and i have installed both bfd and apf

  5. #5
    Join Date
    Jan 2004
    Location
    /home/dislexik
    Posts
    823
    torwill have you tried using net.ipv4.tcp_syncookies ?

    # sysctl -w net.ipv4.tcp_syncookies=1

    Make sure you save the settings in /etc/sysctl.conf as well:

    #Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    "You don’t learn to hack, you hack to learn"

  6. #6
    i did a netstat -an, and there are 2000+ lines,

    tcp 0 0 [my server ip]:80 [attack ip]:25490 SYN_RECV -


    in these 2000 lines, each attack ip is different, no repeat.

    syncookies, bfd, apf, apf antidos are alll installed. none helped.


    thank you.

  7. #7
    I really feel for you... DDoS TCP SYN Floods are unfortunately one of the worst attacks you can get... The thing is that you have to let the traffic in, as this is what your customers use you for...

    Are the destination address of the SYN Packets an IP address or an FQDN (www.yourdomain.com)?

    In the first case (IP Address), all you can do is to change the IP address of your server.

    In the latter case (domain name), find out which domain the packets are hitting (Snort can help you with that) and remove the name servers of that domain.

    Apart from that, providing enough capacity and bandwidth to deal with the requests are the only options (that I can immediately think about)...

    Anyway, you hopefully got it solved by now anyway, but maybe this post can help someone else in the future...
    MP Hosting
    http://mphosting.net

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •