Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.

My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.

Not even syncooking which was recommended by another linuxforum helped at all..




If there's anyone who just have a CLUE about what I could do, tell me :-)

You can change the number of times your machine will re-try the SYN/ACK.

Sounds like a DOS (Denial of Service) Attack.

Put this in your rc.local file:

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

Also make sure you setup iptables firewall rules that will drop everything except port 80. There are also parameters you can set to minimize the amounts of tcp sessions per host - that cuts down on connection problems.

Install a router or other hardware firewall between your box and the network. They're not expensive.

ramram, none of the stuff you came up with helped a bit. Isent there a way that I can trace the attackers ip-addresses, and later ban them?

I havent been able to trace down any of them yet :[

arkaan.. what's your site about? if you have a torrent tracker or something like that, then my friend i belive you're dealing with the same ddos i am. try to install snort and run "snort -i eth0 -vde" (or maybe eth1) and if you see any stuff like $MyNick bla bla bla then my friend.. you have a problem

this kind of attack is done using users on Direct Connect hubs as bots, just imagine controlling users on 30 hubs (1000-15000 users on every hub) and foring them to connect to a $host and $port

You need to setup iptables firewall rules that limit the amount of connections per host. That way one host can only connect certain number of times. However, if you have a DDNS (Distributed Denial of Service) attack then it will be trickier.

Another thing you can do is create a script that monitors how many times an IP address tries to connect to your system; if it tries to connect more than 20 times per every 5 seconds then add it to the hosts.deny file. Make sure you monitor everything.

In addition to the wonderful info that's already been given, you can recompile your kernel to reduce the "half-open" state timeout and "max connections from ip". I don't know the exact technical terms here, but I know it can be done...and it would help to an extent.

Whilst the suggestions given do help a bit, it sounds like you are suffering from a distributed denial of service attack.

The best recourse is the ISP, generally these attacks are blocked upstream on the main routers.

Sometimes this can affect a number of networks so it tends to be taken fairly seriously and don't be surprised if law enforcement is brought in by one of the parties.