Tuesday, July 12, 2011

Linux system to prevent the syn attack

Web hosting service provider in the operating process may be hacker attacks, a common attack methods are SYN, DDOS, etc. By replacing the IP, to find the site of attack may be to avoid attacks, but the break in service a long time. More thorough solution is to install a hardware firewall. However, hardware firewalls are expensive. May consider using the Linux system itself provides the firewall to defend against.
Against SYN SYN attack is to use TCP / IP protocol 3-way handshake principle, to establish a connection to send a large number of network packets, but does not actually establish a connection, eventually leading to the attacked server network queue is filled, not by normal users.
The Linux kernel provides a number of SYN-related configuration, use the command: sysctl-a | grep syn see:
net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5
tcp_max_syn_backlog is the SYN queue length, tcp_syncookies is a switch that is open SYN Cookie feature can prevent some of SYN attacks. tcp_synack_retries and tcp_syn_retries definition of a SYN retries. SYN queue length can be increased to accommodate more waiting to connect to the network connections, open the SYN Cookie feature can prevent some SYN attack, reduce the number of retries has some effect.
Adjust these settings is:
SYN queue length increases to 2048:
sysctl-w net.ipv4.tcp_max_syn_backlog = 2048
Open SYN COOKIE features:
sysctl-w net.ipv4.tcp_syncookies = 1
Reduce the number of retries:
sysctl-w net.ipv4.tcp_synack_retries = 3 sysctl-w net.ipv4.tcp_syn_retries = 3
In order to maintain this system is restarted the configuration, these commands can be added to / etc / rc.d / rc.local file.
Prevent synchronization packet flood (Sync Flood) 
# iptables-A FORWARD-P TCP - SYN-M limit - limit 1 / S-J ACCEPT 
was also writing 
# iptables-A INPUT-p tcp - syn-m limit - limit 1 / S-J ACCEPT 
- limit 1 / S limits the number of concurrent syn 1 per second, according to their need to modify the 
prevention of a variety of port scan 
# iptables-A FORWARD-p tcp - tcp-flags SYN, ACK, FIN, RST RST-M limit - limit 1 / S-J ACCEPT 
Fair flood attack (Fair of Death) 
# iptables-A FORWARD-P ICMP - ICMP-type echo-Request-M limit - limit 1 / S - j ACCEPT