User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

Sorry for a long time without posts, I changed the job and now don't have enough time to create posts, but will do it when will have a time, because have a lot of interesting information to share.

What is it Syn Flood attack? You can find here: https://en.wikipedia.org/wiki/SYN_flood

Main goal of this short how-to is to provide simple steps on how to be protected from this type of attacks.

Below I will describe common way how to protect your server against this attacks with iptables and how to log it in standalone iptables log file.

sysctl.conf

1) echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30' >> /etc/sysctl.conf

2) echo 'net.ipv4.tcp_syncookies = 1' >> /etc/sysctl.conf

3) Apply changes with sysctl -p

iptables rules

1) Create new chains: iptables -N syn-flood

2) iptables -A INPUT -p tcp --syn -j syn-flood

3) Limit incoming packets: iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN

4) Log attack, standalone file for iptables will be described below: iptables -A syn-flood -j LOG --log-prefix "Iptables: SYN FLOOD: "

5) Drop the rest packets: iptables -A syn-flood -j DROP

iptables log file

1) Filter with prefix 'Iptables': echo ':msg, contains, "Iptables: " -/var/log/iptables.log' > /etc/rsyslog.d/iptables.conf

2) Avoid adding record to messages and syslog logs: echo '& ~' >> /etc/rsyslog.d/iptables.conf

3) Restart rsyslog: /etc/init.d/rsyslog restart

4) Create log rotate configuration for iptables log file: /etc/logrotate.d/iptables

/var/log/iptables.log {
    daily
    rotate 30
    compress
    missingok
    notifempty
    sharedscripts
}
5) Apply logrotate rules: logrotate -f /etc/logrotate.conf

 

Thats all. Now you can watch iptables counters. To test if it working: watch 'iptables -vL'

 And use stress tool like hping3 to simulate: hping3 -c 10000 -d 1024 -S -w 64 -p 443 --flood IP_ADDRESS/HOSTNAME

Before(80 and 443 ports are under attack):

After:

 

Hope it helps you!

Add comment


Security code
Refresh