Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 8116 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syn Flood Attacks

kubilay
Hello All,

I am new to Astaro, and I install Security Linux v6 to my Dual Amd, 1Gb box for testing.

We are having syn attacks nearly everyday. Actually, the source was only one IP address so that I can block that IP from my router. But sometimes we miss the attacks so web server goes to slow down, and customers’ starts to bla bla.

So that I started to search a firewall and ids system and found Astaro. 2 of sleepiness nights, I successfully installed and configured Astaro. I set my entire packet filters rule. I configure ids, syn, and others.

And I started to wait a syn attack and yesterday night we had. But unfortunately, Astaro do nothing against to attack. I turned log on everything from syn. I see the packets passing.

I really need your help for blocking these syn attacks. I decrease the p/s rate to 10/10 and still some syn are passing.

What I found in my mind is, if there are a syn packets from X source to Y dest. passing Z packets in a second. This will be count as 1. And if there are A events in B seconds, block the source X for C seconds.

I hope I can express what I think.

Please, I need your urgent help.

Thanks.


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to kubilay
    tcp        0      0 212.175.236.22:80       85.96.78.161:2116       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2912       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3234       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3604       SYN_RECV   
    tcp        0      0 212.175.236.22:80       80.132.250.29:3280      SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2146       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2362       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2149       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2974       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.101.131.122:3215     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3204       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3187       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2859       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2710       SYN_RECV   
    tcp        0      0 212.175.236.22:80       84.168.255.151:4786     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2939       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3968       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3218       SYN_RECV   
    tcp        0      0 212.175.236.22:80       84.168.255.151:4805     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3112       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3426       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3266       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.215.123.102:1324     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:1954       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3562       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.101.151.63:2063      SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3115       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3651       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2917       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2914       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3230       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3689       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2444       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:1775       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3305       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2011       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2463       SYN_RECV   
    tcp        0      0 212.175.236.22:80       195.175.61.190:3355     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3203       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2328       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3606       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.213.156.199:62363    SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3563       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.214.151.191:1342     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3231       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2445       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2040       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3290       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.214.118.37:28699     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2706       SYN_RECV   
    tcp        0      0 212.175.236.22:80       84.194.171.184:3350     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3274       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.213.158.127:2097     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3727       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3295       SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.98.113.140:1591      SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:2806       SYN_RECV   
    tcp        0      0 212.175.236.22:80       81.215.134.245:1715     SYN_RECV   
    tcp        0      0 212.175.236.22:80       85.96.78.161:3294       SYN_RECV  

    And gooooooooes like this. Until Memory and Swap usage is full then system hangs.

    Linux Debian Sarge 64bit
    Dual Xeon 3.2Ghz/2Gb Ram

    Nano of these are working.

    # /etc/sysctl.conf - Configuration file for setting system variables
    # See sysctl.conf (5) for information.
    #
    #kernel.domainname = example.com

    #TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    #Disable IP Source Routing
    net.ipv4.conf.all.accept_source_route = 0
    #Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    #IP Spoofing Protection
    net.ipv4.conf.all.rp_filter = 1
    #Ignoring Broadcasts Request
    net.ipv4.icmp_echo_ignore_broadcasts=1
    #Bad Error Message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1
  • 0 in reply to kubilay
    What mode are you using flood attack protection in?

    Please advise how you have it configured.

    Ian M [:)]
  • 0 in reply to kubilay
    Sorry, wasn't ment that way. 

    Can you try the following as root on the shell:

    iptables -A AUTO_INPUT -p tcp --syn -m limit 10/s -j ACCEPT

    This would be the normal tables synrate limiter, don't know how long it will stay in the tables, normaly it well be deleted as soon you change something via the GUI.

    Chris