LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-05-2007, 04:26 AM   #1
arkaan
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Rep: Reputation: 0
How do I protect myself against TCP SYN flooding?


Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.

My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.

Not even syncooking which was recommended by another linuxforum helped at all..




If there's anyone who just have a CLUE about what I could do, tell me :-)
 
Old 04-05-2007, 07:27 AM   #2
deadeyes
Member
 
Registered: Aug 2006
Posts: 609

Rep: Reputation: 79
Quote:
Originally Posted by arkaan
Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.

My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.

Not even syncooking which was recommended by another linuxforum helped at all..




If there's anyone who just have a CLUE about what I could do, tell me :-)
You can change the number of times your machine will re-try the SYN/ACK.
 
Old 04-05-2007, 08:52 AM   #3
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Sounds like a DOS (Denial of Service) Attack.

Put this in your rc.local file:

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

Also make sure you setup iptables firewall rules that will drop everything except port 80. There are also parameters you can set to minimize the amounts of tcp sessions per host - that cuts down on connection problems.
 
Old 04-05-2007, 09:54 AM   #4
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 55
Lightbulb

Quote:
Originally Posted by arkaan
Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.

My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.

Not even syncooking which was recommended by another linuxforum helped at all..




If there's anyone who just have a CLUE about what I could do, tell me :-)
Install a router or other hardware firewall between your box and the network. They're not expensive.
 
Old 04-08-2007, 09:57 AM   #5
arkaan
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
ramram, none of the stuff you came up with helped a bit. Isent there a way that I can trace the attackers ip-addresses, and later ban them?

I havent been able to trace down any of them yet :[
 
Old 04-08-2007, 04:08 PM   #6
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Rep: Reputation: 15
arkaan.. what's your site about? if you have a torrent tracker or something like that, then my friend i belive you're dealing with the same ddos i am. try to install snort and run "snort -i eth0 -vde" (or maybe eth1) and if you see any stuff like $MyNick bla bla bla then my friend.. you have a problem

this kind of attack is done using users on Direct Connect hubs as bots, just imagine controlling users on 30 hubs (1000-15000 users on every hub) and foring them to connect to a $host and $port
 
Old 04-09-2007, 02:53 PM   #7
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
You need to setup iptables firewall rules that limit the amount of connections per host. That way one host can only connect certain number of times. However, if you have a DDNS (Distributed Denial of Service) attack then it will be trickier.

Another thing you can do is create a script that monitors how many times an IP address tries to connect to your system; if it tries to connect more than 20 times per every 5 seconds then add it to the hosts.deny file. Make sure you monitor everything.
 
Old 04-10-2007, 09:57 PM   #8
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
In addition to the wonderful info that's already been given, you can recompile your kernel to reduce the "half-open" state timeout and "max connections from ip". I don't know the exact technical terms here, but I know it can be done...and it would help to an extent.
 
Old 04-16-2007, 07:54 PM   #9
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Whilst the suggestions given do help a bit, it sounds like you are suffering from a distributed denial of service attack.

The best recourse is the ISP, generally these attacks are blocked upstream on the main routers.

Sometimes this can affect a number of networks so it tends to be taken fairly seriously and don't be surprised if law enforcement is brought in by one of the parties.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible SYN flooding? gbowden Linux - Security 7 02-08-2007 08:16 AM
TCP SYN attack -Linking errors adityabhat6 Programming 1 03-26-2006 07:10 PM
TCP packet flags (SYN, FIN, ACK, etc) and firewall rules TheLinuxDuck Linux - Security 12 04-28-2005 11:30 PM
programming in c, problem TCP -> SYN,... bebe531 Programming 1 05-25-2004 02:58 PM
Blocking TCP | SYN scans robeb Linux - Security 3 05-19-2002 08:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration