This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syn Flood Attacks

Hello All,

I am new to Astaro, and I install Security Linux v6 to my Dual Amd, 1Gb box for testing.

We are having syn attacks nearly everyday. Actually, the source was only one IP address so that I can block that IP from my router. But sometimes we miss the attacks so web server goes to slow down, and customers’ starts to bla bla.

So that I started to search a firewall and ids system and found Astaro. 2 of sleepiness nights, I successfully installed and configured Astaro. I set my entire packet filters rule. I configure ids, syn, and others.

And I started to wait a syn attack and yesterday night we had. But unfortunately, Astaro do nothing against to attack. I turned log on everything from syn. I see the packets passing.

I really need your help for blocking these syn attacks. I decrease the p/s rate to 10/10 and still some syn are passing.

What I found in my mind is, if there are a syn packets from X source to Y dest. passing Z packets in a second. This will be count as 1. And if there are A events in B seconds, block the source X for C seconds.

I hope I can express what I think.

Please, I need your urgent help.

Thanks.

This thread was automatically locked due to age.

Parents

0 NimmdirKeks over 20 years ago

Is the IPS detecting a Syn-Flood?

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 kubilay over 20 years ago in reply to NimmdirKeks

IPS is not detecting syn flood, where I try to explain in my post. I had enabled it via WebAdmin >> IPS >> Flood Protection
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to kubilay

Can you sniff the taffic on the target server, to check if those a really syn-floods and not regular traffic?

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 kubilay over 20 years ago in reply to NimmdirKeks

Chris sorry but, I am not fool to don’t understand a syn flood attack.
I can see syn packets passing via live log and on the target box via netstat -an (hundreds of syn connections from same source ip)
Cancel
Vote Up 0 Vote Down

Cancel
0 kubilay over 20 years ago in reply to kubilay

tcp        0      0 212.175.236.22:80       85.96.78.161:2116       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2912       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3234       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3604       SYN_RECV
tcp        0      0 212.175.236.22:80       80.132.250.29:3280      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2146       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2362       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2149       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2974       SYN_RECV
tcp        0      0 212.175.236.22:80       85.101.131.122:3215     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3204       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3187       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2859       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2710       SYN_RECV
tcp        0      0 212.175.236.22:80       84.168.255.151:4786     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2939       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3968       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3218       SYN_RECV
tcp        0      0 212.175.236.22:80       84.168.255.151:4805     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3112       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3426       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3266       SYN_RECV
tcp        0      0 212.175.236.22:80       81.215.123.102:1324     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:1954       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3562       SYN_RECV
tcp        0      0 212.175.236.22:80       85.101.151.63:2063      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3115       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3651       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2917       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2914       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3230       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3689       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2444       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:1775       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3305       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2011       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2463       SYN_RECV
tcp        0      0 212.175.236.22:80       195.175.61.190:3355     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3203       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2328       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3606       SYN_RECV
tcp        0      0 212.175.236.22:80       81.213.156.199:62363    SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3563       SYN_RECV
tcp        0      0 212.175.236.22:80       81.214.151.191:1342     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3231       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2445       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2040       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3290       SYN_RECV
tcp        0      0 212.175.236.22:80       81.214.118.37:28699     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2706       SYN_RECV
tcp        0      0 212.175.236.22:80       84.194.171.184:3350     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3274       SYN_RECV
tcp        0      0 212.175.236.22:80       81.213.158.127:2097     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3727       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3295       SYN_RECV
tcp        0      0 212.175.236.22:80       85.98.113.140:1591      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2806       SYN_RECV
tcp        0      0 212.175.236.22:80       81.215.134.245:1715     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3294       SYN_RECV

And gooooooooes like this. Until Memory and Swap usage is full then system hangs.

Linux Debian Sarge 64bit
Dual Xeon 3.2Ghz/2Gb Ram

Nano of these are working.

# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com

#TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
#Disable IP Source Routing
net.ipv4.conf.all.accept_source_route = 0
#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
#IP Spoofing Protection
net.ipv4.conf.all.rp_filter = 1
#Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts=1
#Bad Error Message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 kubilay over 20 years ago in reply to kubilay

tcp        0      0 212.175.236.22:80       85.96.78.161:2116       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2912       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3234       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3604       SYN_RECV
tcp        0      0 212.175.236.22:80       80.132.250.29:3280      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2146       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2362       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2149       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2974       SYN_RECV
tcp        0      0 212.175.236.22:80       85.101.131.122:3215     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3204       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3187       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2859       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2710       SYN_RECV
tcp        0      0 212.175.236.22:80       84.168.255.151:4786     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2939       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3968       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3218       SYN_RECV
tcp        0      0 212.175.236.22:80       84.168.255.151:4805     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3112       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3426       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3266       SYN_RECV
tcp        0      0 212.175.236.22:80       81.215.123.102:1324     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:1954       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3562       SYN_RECV
tcp        0      0 212.175.236.22:80       85.101.151.63:2063      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3115       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3651       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2917       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2914       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3230       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3689       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2444       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:1775       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3305       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2011       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2463       SYN_RECV
tcp        0      0 212.175.236.22:80       195.175.61.190:3355     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3203       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2328       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3606       SYN_RECV
tcp        0      0 212.175.236.22:80       81.213.156.199:62363    SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3563       SYN_RECV
tcp        0      0 212.175.236.22:80       81.214.151.191:1342     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3231       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2445       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2040       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3290       SYN_RECV
tcp        0      0 212.175.236.22:80       81.214.118.37:28699     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2706       SYN_RECV
tcp        0      0 212.175.236.22:80       84.194.171.184:3350     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3274       SYN_RECV
tcp        0      0 212.175.236.22:80       81.213.158.127:2097     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3727       SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3295       SYN_RECV
tcp        0      0 212.175.236.22:80       85.98.113.140:1591      SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:2806       SYN_RECV
tcp        0      0 212.175.236.22:80       81.215.134.245:1715     SYN_RECV
tcp        0      0 212.175.236.22:80       85.96.78.161:3294       SYN_RECV

And gooooooooes like this. Until Memory and Swap usage is full then system hangs.

Linux Debian Sarge 64bit
Dual Xeon 3.2Ghz/2Gb Ram

Nano of these are working.

# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com

#TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
#Disable IP Source Routing
net.ipv4.conf.all.accept_source_route = 0
#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
#IP Spoofing Protection
net.ipv4.conf.all.rp_filter = 1
#Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts=1
#Bad Error Message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 RFCat_vk_01 over 20 years ago in reply to kubilay

What mode are you using flood attack protection in?

Please advise how you have it configured.

Ian M [:)]
Cancel
Vote Up 0 Vote Down

Cancel