Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-17-2009, 01:20 AM   #1
LQ Newbie
Registered: Mar 2009
Posts: 2

Rep: Reputation: 0
[IpTables]Syn Flood protection and apache lag


I've a problem when I try to protect my Debian 5.0 against Syn_Flooding.
I set tcp_syncookies = 1 and tcp_syn_retries = 3

I've this rules :
-A INPUT -j banned_ip 
-A INPUT -j floods_protect 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j ports 
-A INPUT -i eth0 -p icmp -j ACCEPT 
-A floods_protect -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j RETURN 
-A floods_protect -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A floods_protect -i eth0 -p udp -m limit --limit 10/sec -j RETURN 
-A floods_protect -i eth0 -p udp -j DROP 
-A floods_protect -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j RETURN 
-A floods_protect -i eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec -j RETURN 
-A floods_protect -i eth0 -p icmp -j DROP 
-A ports -p udp -m udp --dport 53 -j ACCEPT 
-A ports -p tcp -m tcp --dport 953 -j ACCEPT 
-A ports -p tcp -m tcp --dport 53 -j ACCEPT 
-A ports -p tcp -m tcp --dport 1193 -j ACCEPT
With this rules, server is protect against syn flooding, but apache doesn't respond or take too long time to respond with this.
I try to change limit-burst and limit 1/sec, but protect doesn't work or apache doesn't respond.

Have you any idea to protect apache against syn flood but have a fluid apache ?
Did I try lighttpd ?

Thanks (sorry for language mistakes, is not my motherly language) .
Old 03-17-2009, 06:28 AM   #2
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
you dont need to use iptables for syn flood protection.

sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

this will turn on syncookies to track half-open connections and then limit the amount of half-open connections to 2048
Old 03-17-2009, 05:30 PM   #3
LQ Newbie
Registered: Mar 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I assume that syncookies et modifying backlog size is not efficient.
Actually I've this :
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 2048
When I try to SYN_FLOOD my secured server, it becomes hardly slow.
Have you any idea ?

Old 03-17-2009, 05:45 PM   #4
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
TCP SYN cookies only prevent service from being denied due to full SYN queues. If your performance is suffering because the SYN flood is also clogging your uplink, there's nothing you can do about that. Verify that network usage is at sane levels.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
New Firewall - SYN Flood kriggo15 Linux - Security 34 12-15-2005 04:19 PM
SYN flood 98steve600 Linux - General 1 03-28-2005 03:27 AM
SYN flood with Game Empowerer Linux - Networking 3 07-25-2004 04:36 PM
protection from SYN flood attacks chenkoforever Linux - Security 4 06-22-2004 05:38 PM
Can't SYN Flood a Linux jveron23 Linux - Security 3 10-06-2003 11:27 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration