This is what i done to stop syn attack on my linux system.
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn -m hashlimit \
--hashlimit 200/sec --hashlimit-burst 3 --hashlimit-htable-expire
300000 --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
iptables -A syn-flood -m recent --name blacklist --set -j DROP
iptables -A INPUT -j syn-flood
Now let me explain the rules i added in iptables. First of alli
created a chain named syn-flood.
iptables -N syn-flood
Then i forwarded all tcp syn packet to that chain
iptables -A INPUT -p tcp --syn -j syn-flood
After that i used hashlimit match which is a extension of limit match.
In this match i created hash table of syn request ,ip address wise. If
syn request exceed 200 request per second then Return the packet.
--hashlimit-htable-expire determine how much time idle hashtable entry
expire. --hashlimit-name specify specific name of this hashtable it
can be viewed inside /proc/net/ipt_hashlimit directory.
ptables -A syn-flood -p tcp --syn -m hashlimit \
--hashlimit 200/sec --hashlimit-burst 3 --hashlimit-htable-expire
300000 --hashlimit-mode srcip \ --hashlimit-name testlimit -j RETURN
To put the ip doing syn flooding in black list i used 'recent' match
as following. In given rule packet matched based on recent event that
is hashtable rule and create a new list (--name) named blacklist and
make new entries(--set) in it and then DROP packet.
iptables -A syn-flood -m recent --name blacklist --set -j DROP
Suggest me if you have any better idea.
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn -m hashlimit \
--hashlimit 200/sec --hashlimit-burst 3 --hashlimit-htable-expire
300000 --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
iptables -A syn-flood -m recent --name blacklist --set -j DROP
iptables -A INPUT -j syn-flood
Now let me explain the rules i added in iptables. First of alli
created a chain named syn-flood.
iptables -N syn-flood
Then i forwarded all tcp syn packet to that chain
iptables -A INPUT -p tcp --syn -j syn-flood
After that i used hashlimit match which is a extension of limit match.
In this match i created hash table of syn request ,ip address wise. If
syn request exceed 200 request per second then Return the packet.
--hashlimit-htable-expire determine how much time idle hashtable entry
expire. --hashlimit-name specify specific name of this hashtable it
can be viewed inside /proc/net/ipt_hashlimit directory.
ptables -A syn-flood -p tcp --syn -m hashlimit \
--hashlimit 200/sec --hashlimit-burst 3 --hashlimit-htable-expire
300000 --hashlimit-mode srcip \ --hashlimit-name testlimit -j RETURN
To put the ip doing syn flooding in black list i used 'recent' match
as following. In given rule packet matched based on recent event that
is hashtable rule and create a new list (--name) named blacklist and
make new entries(--set) in it and then DROP packet.
iptables -A syn-flood -m recent --name blacklist --set -j DROP
Suggest me if you have any better idea.
