Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-15-2007, 05:06 AM
|
#1
|
Member
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144
Rep:
|
symptoms of syn attack
hello linux geeks,
how do i know if i am under a syn attack and how do i prevent such?
Thanks
|
|
|
10-15-2007, 09:03 AM
|
#2
|
Member
Registered: Jun 2004
Posts: 124
Rep:
|
For knowing when you are under the eyes of a SYN scan you could use iptables or snort.
Iptables (your firewall) can watch for bursts of SYN flagged packets (and drop them, with logging if desired). Snort (an IDS) will detect and log many types of attacks.
Either way though, there's not really much you can do to prevent SYN scans per se (because they are externally initiated), beyond silently dropping the offending packets.
|
|
|
10-15-2007, 11:28 AM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
By SYN attack do you mean SYN flood attack? If so, the main symptom is that people won't be able to start new connections with your server (existing connections don't get affected). Also, if you use netstat to check for connections in a half-open state you should see tons from random IPs:
Code:
netstat -ant | grep SYN_RECV
SYN cookies are the SYN flood countermeasure of choice.
Code:
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
If the flood is happening from non-spoofed IPs, per IP rate-limiting via iptables will help.
Last edited by win32sux; 10-15-2007 at 04:54 PM.
|
|
|
10-15-2007, 06:04 PM
|
#4
|
Member
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144
Original Poster
Rep:
|
thanks conn and win32 i am really glad for the fast reply, after i did netstat -ant | grep SYN_RECV. i saw a lost of syn_recv but they were from my local ip's not from an external ip.
by the way what is an half open connection.
|
|
|
10-15-2007, 06:13 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by yawe_frek
thanks conn and win32 i am really glad for the fast reply, after i did netstat -ant | grep SYN_RECV. i saw a lost of syn_recv but they were from my local ip's not from an external ip.
|
Don't forget that SYN flood packets will have have spoofed source addresses most of the time. But assuming you do confirm they come from your LAN boxes, you should still look into it because it could be a symptom of buggy software on your LAN.
Quote:
Originally Posted by yawe_frek
by the way what is an half open connection.
|
Wikipedia has a pretty concise explanation.
Last edited by win32sux; 10-15-2007 at 08:21 PM.
|
|
|
All times are GMT -5. The time now is 09:49 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|