Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-22-2004, 03:01 PM   #1
LQ Newbie
Registered: Jun 2004
Posts: 3

Rep: Reputation: 0
protection from SYN flood attacks

The story goes as follows.. i am taking a security course in college, where the purpose of the course is to learn to setup different services on a linux box which are ftp, http, ssh and pop3 (using SMTP) and the main objective is to learn how to secure these services. I've done weeks of research and followed the rule "RTFM" all the way.. good news is i succeeded in setting up the services and securing them from local attacks.
Only one problem remains.. my box is on an ethernet LAN, and to test my services, other students in the class have to try to hack my box. Since i did a relatively good job in securing it, the only option they have left is a god damned DoS attack which is accomplished by flooding my box with SYN packets. I detected this by using a tcpdump on my box. I'm sure they used other types of flooding to render my services unreachable. After googling around a bit, i found out about SYN cookies and patching the kernel to prevent SYN floods. Didn't work.
So my question is ::: what the hell am i supposed to do now?
Box info ::: OS Fedora Core 2 (patched to secure against the latest kernel exploit to 2.6.6)
I'm using IPtables to close all other ports open on my box except 21 (ftp) 22 (ssh) 80 (http) and 110 (pop3).
Please help..
Old 06-22-2004, 03:04 PM   #2
LQ Newbie
Registered: Jan 2004
Posts: 12

Rep: Reputation: 0
try sysn cokkies again dear it works
Old 06-22-2004, 03:05 PM   #3
LQ Newbie
Registered: Jan 2004
Posts: 12

Rep: Reputation: 0
try sysn cookies again, it works
Old 06-22-2004, 04:38 PM   #4
Registered: Jan 2004
Distribution: Slackware 10.0|Damn Small Linux|NetBSD|Debian
Posts: 46

Rep: Reputation: 15
Yup. They work. If they dont then you're not getting syn flooded. Try playing around with the kernel source if you know what you're doing. If you dont I can send you my kernel. (Note for whatever reason the kernel disables the proper use of some GTK+ widgets but I dont think you'll care about that......
Old 06-22-2004, 06:38 PM   #5
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
AFAIK, the linux implementation of tcp_cookies will only kick in as the connection queue starts to reach a threshold close to the max. Once it reaches that level, then it starts handing out syn_cookies. I'm guessing that the flooding isn't reaching the threshold in your case (or as pointed out, not happening at all).

One way to limit lower threshold flooding is by using the iptables patch-o-matic extension called "connlimit". This extension allows you to specifiy the number of simultaneous connections that can be made to the box. To use patch-o-matic, you have to dowload it from the netfilter site, tell it where the kernel and iptables sources are located and then seletct from the "menu" which patches to install. You'll then need to re-compile the kernel (don't forget to turn on kernel support for whichever patches you select).


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SYN flood 98steve600 Linux - General 1 03-28-2005 04:27 AM
SYN flood with Game Empowerer Linux - Networking 3 07-25-2004 05:36 PM
Syn Flood Attack Detect synaptical Linux - Security 2 07-25-2004 02:48 PM
DoS Attacks Protection chenkoforever Linux - Security 2 07-04-2004 05:11 PM
Can't SYN Flood a Linux jveron23 Linux - Security 3 10-06-2003 12:27 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:25 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration