Hi all,

I have been given a class project to install a firewall on a Linux machine and to try to prevent a SYN Flood attack. I have no previous Linux experience or firewall experience prior to this project. Can someone please help me out....

I've installed about 4 different firewalls but do not know how to configure them properly. I don't know how to modify a firewall's policy to protect againsy a syn attack. I appreciate any help.

Thanks,
Craig

We won't do your homework for you, so try breaking it down to more specific questions. First think about what a SYN flood is and how you would prevent it. What is going on? What can you do? Then search for how to do it. There are several methods for attempting to prevent a SYN flood attack. Therefore you should have several ideas about the matter.

Just to give some more hints in the direction
1. dont try to install different firewalls..basically any firewall will do IF u know wht u want to exactly configure
2. As said by GNUBie, try to find out exactly wht a SYN flood attack is.
3. Try to learn how to add simple firewall rules [in case u havent decided wht to use, start reading up on IPTABLES. In linux that shud be more than enough for u]

all the best, and keep posting things as u get stuck..we will then help u..

Ok, here's what's up.

I'm not asking for my homework to be done but I understand how my question may have come across.

I know how a syn flood is carried out to an extent. I know that syn packets kept getting sent and no complete connection can be made.

I have a firewall installed (Firestarter) but I can only block ports and ip addresses. I know that I need to watch the packets that come in to look for a syn flag.

The problem is that I don't understand how to set a firewall to block those packets that have a syn flag. I've read stuff about iptables but I don't believe I am proficient enough with Linux to manipualate the files or move around. I have tried alot of different firewalls but most of them are command line based and I don't know enough.

So, I am looking for a little guidance. I appreciate any help you can offer. Again, I don't want you to do my homework for me but I would appreciate some guidance. Thanks...

One more question...

How do I view the iptables rules file? (Location?)

And how do I modify these rule codes to add some of my own?

Remember, I'm fairly new to Linux.

Thanks...

Sorry to keep posting but I think I'm getting closer to a solution. I found some code and listed it below. What file would I place this in and does it matter what order it would go in? Thanks...


iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -N SYN_FLOOD
iptables -A SYN_FLOOD -p tcp --syn =synopt -j RETURN
iptables -A SYN_FLOOD -p ! tcp -j RETURN
iptables -A SYN_FLOOD -p tcp ! --syn -j RETURN
iptables -A SYN_FLOOD -j LOG --log-prefix "IPT SYN_FLOOD: " =logopt
iptables -A SYN_FLOOD -j DROP

Those are commands that can be run as root. So you could login as root and enter each of those at the console, or you could put them all in a file (script) and execute that. I would do the latter.

1. Create script
* hit enter after your last line, then ctrl+c to finish

2. Make script executable
3. Execute script
4. View iptables rules

you are doing real good. Let me tell you something. Look up at the limit module in iptables. Basically the problem is that if you decide to DROP any SYN packet, then you will not be able to do anything productive. Hence you have to rate-limit the packet. Depending on your usage, you decide to allow some X SYN packets per second and anything more than that, you say that this could be a scan. No one will be able to decide a "correct" value for X, because there is nothing such as a "correct" value.
So all the best!

Which of these codes do you think I should use? And what is the difference with the eth0?

#Syn flood protection
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

#Make sure new TCP connections are syn packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP


#Syn flood protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

#Make sure new TCP connections are syn packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP


Can you tell me if I am right when I try to explain what happens. Is it saying that it is only going to allow 4 syn packets per second? And if so do you think this is sufficient enough?

Thanks for the help all...

also, consider using TCP SYN cookies...
http://www.google.com/linux?&q=tcp_syncookies

All -i eth0 means, is that you specify which network interface you want this rule to apply to. If you had more than one network card, you can make your rules more specific and flexible by specifying eth0, eth1 etc.

or you could make it more generic with

this would be a regular expression that accepts any interface like eth0, eth1, etc (1 character indicated by a +)

How do I know if it is working? I am running the syn flood on one computer and running these commands but it is still bogging down the machine. Is there a log file or something I can see to find out if it is working? Thanks

Also, the machine I am running the syn flood from has the address 192.168.1.1 because it's through a router. Also, the syn flood code is set up so that it spoofs the ip address so that I get 192.168.1.* where * is anything. How do I block everything from 192.168.1.*? I know that iptables doesn't accept that wildcard and I don't want to have to type in the command in 255 times to block all of the addresses. thanks

are you using the syn cookies??