Results 1 to 6 of 6
  1. #1

    SYN Flood Attack

    We are currently experiencing an SYN Flood attack on our primary production server and are looking for some help in resolving the issue.

    Running:
    Novell SUSE Linux Enterprise Server 10.2-64
    SuperMicro X7DBR-E Intel Xeon QuadCore DualProc SATA [2Proc]
    Processor Intel Xeon-Clovertown 5320L-QuadCore [1.86GHz]
    8GB Memory
    @ Softlayer DC in Texas.

    Need help within the next hour or two. Please ask any necessary follow up questions and how you might go about resolving the issue (i.e. SYN Cookies, etc.)

    Thanks,
    Hunter

  2. #2
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    Step one would be to enable syncookies.
    Code:
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    Step two would be to ensure you have some sort of reactive firewall. I personally am a big fan of the CSF firewall
    http://www.configserver.com/cp/csf.html Make sure you enable the known attackers/RBL blocks in addition to portflooding.

    If you've still got a ton of bad traffic, I personally like to take a packet capture of the inbound traffic and see what's going on. You'll see a lot of stuff based on using apache modules to insert iptables rules, etc, however that's typically hit or miss.

    Start a packet capture. This should be run as root. I typically let this run for a good 30 seconds or so.
    Code:
     tcpdump -nn -i eth0 > /root/packets
    Next up, let's parse out only the IPs, it's really the only spot we need...

    Code:
    cat /root/packets | awk '{print $3}' |uniq | sort >> /root/cleaned
    Now in this /root/cleaned file, you're going to have a list of *everything* throwing traffic at your server, however the ones throwing traffic at your machine are going to be easily identifiable as they'll have a incrementing source port (typically). The source port is the number after the IP, so in this case, 10.10.10.10.1234 would equal a source port of 1234.

    If you have an IP in that file 30 times over with an incrementing source port, that's straight up (d)DOS traffic and should be blocked. Now I tend to shy away from IPTables based blocks and prefer to use the kernels routing table for this as it seems to work out much better. To heck with filtering the source host through IP tables when you're trying to just flat out deny it. Instead I just use nullroutes.

    Code:
     route add -host 10.10.10.10 gw 127.0.0.1
    Now, lets say you have most of a /24 subnet attacking your machine. You can blackhole that whole subnet by doing the following...

    Code:
     route add -net 10.10.10.0/24 gw 127.0.0.1

    Bam, done and said with. Simply put, blackhole nullrouting is a crazy amount more efficient and speedy than handling via iptables. One command has been integral to Linux as an OS since day one and MANY optimizations have gone into it. Simple, effective, fast. The other (iptables) has many more options, is more complex and requires more 'work' from your machine to process.

    Keep in mind, if this is UDP based, this trick won't have the same results for you.

    Also to clear the routing table, just restart networking on your machine and you should be good.

    edit: It should be noted that this is more of an intensive process work-wise. While we personally have scripts to automate the blocking via this method, I'm just showing you how it's done by hand in case you choose to go your own route. You should try the first two things first and see how they play out for you before proceeding.

  3. #3
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    Hire a management company...
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  4. #4
    Join Date
    Apr 2007
    Posts
    3,513
    Alot of the free firewalls out there should sort that out for you.
    Even better pay for server management.
    - Buying up websites, side-projects and companies - PM Me! -

  5. #5
    cool Chris nice article!
    http://www.caperhosting.net - web/shells/ircd/shoutcast hosting!
    Live Chat sales/support on website
    WHMCS billing system and client login
    CaperHosting.net We care about everyone!

  6. #6
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    There have been a lot of SYN floods going on, I've seen SYN floods in the range of 120,000+ Requests Per Second and 100+megabit worth of SYN Flooding... Software firewalls aren't going to help you against that and no matter how much you optimize your server you're not going to be able to handle 120k requests per second imho.

    Only thing you can do is null-route the IP that is targeted and wait it out. Good luck.

    (I found that null-routing the syn flood on the server level didn't help since they were filling the pipe to the server).
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

Similar Threads

  1. Huge SYN Flood Attack, help..
    By Chris` in forum Hosting Security and Technology
    Replies: 24
    Last Post: 05-05-2009, 01:57 AM
  2. Please help - is this flood attack or not?
    By Garikus in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-26-2008, 08:04 AM
  3. Inbound SYN Flood Attack plz
    By usama in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-12-2007, 06:14 PM
  4. under SYS Flood attack
    By surfmanjoe in forum Managed Hosting and Services
    Replies: 10
    Last Post: 12-22-2006, 01:12 PM
  5. syn-flood attack on port 80
    By torwill in forum Hosting Security and Technology
    Replies: 6
    Last Post: 06-02-2005, 10:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •