LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-15-2007, 05:06 AM   #1
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Rep: Reputation: 15
symptoms of syn attack


hello linux geeks,

how do i know if i am under a syn attack and how do i prevent such?

Thanks
 
Old 10-15-2007, 09:03 AM   #2
conn-fused
Member
 
Registered: Jun 2004
Posts: 124

Rep: Reputation: 15
For knowing when you are under the eyes of a SYN scan you could use iptables or snort.

Iptables (your firewall) can watch for bursts of SYN flagged packets (and drop them, with logging if desired). Snort (an IDS) will detect and log many types of attacks.

Either way though, there's not really much you can do to prevent SYN scans per se (because they are externally initiated), beyond silently dropping the offending packets.
 
Old 10-15-2007, 11:28 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
By SYN attack do you mean SYN flood attack? If so, the main symptom is that people won't be able to start new connections with your server (existing connections don't get affected). Also, if you use netstat to check for connections in a half-open state you should see tons from random IPs:
Code:
netstat -ant | grep SYN_RECV
SYN cookies are the SYN flood countermeasure of choice.
Code:
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
If the flood is happening from non-spoofed IPs, per IP rate-limiting via iptables will help.

Last edited by win32sux; 10-15-2007 at 04:54 PM.
 
Old 10-15-2007, 06:04 PM   #4
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Original Poster
Rep: Reputation: 15
thanks conn and win32 i am really glad for the fast reply, after i did netstat -ant | grep SYN_RECV. i saw a lost of syn_recv but they were from my local ip's not from an external ip.

by the way what is an half open connection.
 
Old 10-15-2007, 06:13 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by yawe_frek View Post
thanks conn and win32 i am really glad for the fast reply, after i did netstat -ant | grep SYN_RECV. i saw a lost of syn_recv but they were from my local ip's not from an external ip.
Don't forget that SYN flood packets will have have spoofed source addresses most of the time. But assuming you do confirm they come from your LAN boxes, you should still look into it because it could be a symptom of buggy software on your LAN.

Quote:
Originally Posted by yawe_frek View Post
by the way what is an half open connection.
Wikipedia has a pretty concise explanation.

Last edited by win32sux; 10-15-2007 at 08:21 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What are all these SYN-FLOODs? Am I under attack? Vanyel Linux - Security 11 10-10-2007 04:35 PM
TCP SYN attack -Linking errors adityabhat6 Programming 1 03-26-2006 07:10 PM
What are some symptoms of rootkits? pdeman2 General 7 01-02-2006 03:44 AM
"syn flood attack" How do I investigate this? oily_rags SUSE / openSUSE 2 04-28-2005 09:29 PM
Syn Flood Attack Detect synaptical Linux - Security 2 07-25-2004 01:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration