SYN_RECV flood still happening with giptables

micro_sucks · 06-15-2004, 03:34 PM

Hello everyone, I finally finished configuring giptables as well as mrtg and am now having one final proplem. My website was working good for a few hours then all of a sudden I am unable to access it. I do a netstat -veen and realize I have over 90 syn_recv connection stattes. I thought giptables was supposed to protect against this sort of attack ? My hardware :
Amd athlon xp 3000+ with 400 mhz fsb
1 gb kingston ram
asus network card
here is what is going on

Code:

[root@cp root]# netstat -veen
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode     
tcp        0      0 **.**.**.50:80          204.210.184.36:19794    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.46.184.55:2692      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          221.232.75.67:4132      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          172.190.15.2:3469       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.13.93.42:46357      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.46.184.55:2811      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.164.210.56:1391     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.231.179.130:61723   SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.231.179.130:61761   SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          221.232.75.67:1092      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          68.32.67.242:51402      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          63.174.237.93:3417      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          64.213.219.6:4127       SYN_RECV    0          0          
tcp        0      0 **.**.**.55:80          221.232.75.67:1875      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          65.110.62.20:1158       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          62.219.122.170:1537     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.162.49.222:1347     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.190.28.31:3977      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          216.158.158.12:37900    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.18.27.192:2660      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          219.140.84.93:3726      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.171.17.159:4698      SYN_RECV    0          0          
tcp        0      0 **.**.**.52:80          221.232.75.67:4534      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          64.173.197.130:4619     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          216.158.158.12:39172    SYN_RECV    0          0          
tcp        0      0 **.**.**.54:80          219.140.84.93:1302      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.231.179.130:61665   SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          24.167.123.230:1174     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          68.32.67.242:39376      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.137.220.252:4376     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          69.56.230.234:1371      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.166.119.113:1532     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          66.76.117.32:3616       SYN_RECV    0          0          
tcp        0      0 **.**.**.59:80          221.232.75.67:4310      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.247.212.95:4259      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.137.220.252:1309     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.166.119.113:1755     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          65.54.164.62:29565      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          208.181.173.34:3322     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.59.204.76:4480       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          208.181.173.34:4112     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.184.141.137:2089     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.231.179.130:61800   SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.56.175.30:9064      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          68.223.98.153:50824     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:3999      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          68.4.11.248:3567        SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          203.45.106.66:1916      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          67.234.73.89:2046       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          217.231.179.130:61843   SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          64.213.219.6:1549       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:3616      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          66.197.0.218:2531       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          67.164.238.183:3233     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.162.230.231:4141    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.184.141.137:2142     SYN_RECV    0          0          
tcp        0      0 **.**.**.57:80          219.140.84.93:3024      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          221.232.75.67:2470      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:1605      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          219.140.84.93:2286      SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          24.167.123.230:3098     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:1429      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          216.158.158.12:36680    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.164.210.56:1670     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:3692      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          206.156.230.86:55219    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          69.81.144.240:2565      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.140.84.93:2005      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          80.142.124.39:4570      SYN_RECV    0          0          
tcp        0      0 **.**.**.59:80          219.140.84.93:2735      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          165.21.154.8:52805      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          208.181.173.34:3679     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          82.39.104.95:3414       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.20.54.236:2596       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          62.219.122.170:1720     SYN_RECV    0          0          
tcp        0      0 **.**.**.55:80          67.234.73.93:3013       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          220.186.56.201:1740     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          211.26.141.6:2339       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.162.22.241:4632      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          216.226.139.51:59657    SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          24.59.204.76:2339       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.164.210.56:1487     SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          212.235.96.40:2566      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.46.184.55:2682      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.0.120.52:3256       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          172.148.61.81:1088      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.145.2.143:4109      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          172.185.29.95:2358      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          219.0.120.52:3106       SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          218.46.184.55:2885      SYN_RECV    0          0          
tcp        0      0 **.**.**.50:80          216.158.158.12:37235    SYN_RECV    0          0          
tcp        0      0 **.**.**.56:80          221.232.75.67:2398      SYN_RECV    0          0          
tcp        0   6256 **.**.**.50:22          66.58.97.98:1540        ESTABLISHED 0          581417     
tcp        0      0 127.0.0.1:3306          127.0.0.1:36697         ESTABLISHED 75         576856     
tcp       53      0 127.0.0.1:36697         127.0.0.1:3306          ESTABLISHED 500        576855     
tcp        0      0 **.**.**.53:36272       61.156.44.125:8897      ESTABLISHED 14         278447     
tcp        0      0 **.**.**.53:36079       61.156.44.125:8897      ESTABLISHED 14         277432

Thanks for helping me out

Capt_Caveman · 06-15-2004, 05:24 PM

Did you enable syn-flood protection in the giptables.conf file?

If you haven't, checkout the link to the docs posted below under the "Syn-flood Protection Definitions" header.

You can also make sure that giptables is enabling tcp_syncookies by doing:
more /proc/sys/net/ipv4/tcp_syncookies
If it's enabled, you should see a "1" as the contents of the file.

giptables doc:
http://www.giptables.org/configuration.html

micro_sucks · 06-15-2004, 05:46 PM

The weird thing is I have the syn cookies enabled as well as the syn flood protection in giptables. I do not know what to do anymore. It looks to me like giptables limits the number of new connections, but not total connections. It's been about 12 hours and the same ips have the same state, SYN_RECV. Is there another script that would help me in this situation, or a rule base ? Some help as to what I could do to be able to access my webserver again would be very helpful.

chort · 06-15-2004, 06:23 PM

SFAIK SYN cookies will only help you if the same IP is trying to SYN flood you, but it won't help if multiple IPs are sending one SYN each.

There may be some sysctl kernel variables that let you reduce the amount of time that a connection will sit in SYN_RECV before it times out.

Capt_Caveman · 06-15-2004, 07:24 PM

Quote:

Originally posted by chort
SFAIK SYN cookies will only help you if the same IP is trying to SYN flood you, but it won't help if multiple IPs are sending one SYN each.

It shouldn't make a difference. Once the queue begins to fill, the system won't enter any new states into the table unless the remote system(s) sending SYNs responds to the SYN-ACK with the proper "cookie". So whether it's one or a bunch, as long as it isn't attempting real TCP connections, then tcp_syncookies should help mitigate it some.

@microsucks:
check the state table to see how many connections are actively in there. With that much RAM, you chould at least be able to handle 1024 simultaneous connections. Check the number of entries with:
cat /proc/net/ip_conntrack | wc -l
That should spit out the number of entries in the table. You only posted ~98 entries, so you should be well below the max threshold.

You might also want to fire up tcpdump and capture a few packets in order to get an idea of how big the packets are and how fast they're coming at you. If there coming in reasonably fast, you can do burst limiting.