CentOS Prevent SYN attack (DDoS attack) method

Prevent SYN attacks (one of the Ddoos attacks)

The code is as follows	Copy Code
Iptables-i input-p tcp--syn-m limit--limit 1/s-j ACCEPT Iptables-i forward-p tcp--syn-m limit--limit 1/s-j ACCEPT

Prevent various port scans

The code is as follows	Copy Code
Iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT

Ping flood Attack (ping of Death)

The code is as follows	Copy Code
Iptables-a forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT

Linux settings

If your server configuration is not very good, the TCP time_wait socket number reaches 20,000 or 30,000, the server can easily be towed to death. By modifying the Linux kernel parameters, you can reduce the number of TIME_WAIT sockets on the server.

Time_wait can be viewed with the following command: The following code fragment:Netstat-an | grep "Time_wait" | wc-l under Linux, such as CentOS, can be modified by/etc/ sysctl.conf file to achieve the goal.

Add the following lines: The following is a code fragment:

code is as follows	copy code
Net.ipv4.tcp _fin_timeout = Net.ipv4.tcp_keepalive_time = 1200 Net.ipv4.tcp_syncookies = 1 Net.ipv4.tcp_tw_reuse = 1 Net.ipv4.tcp_tw_recycle = 1 Net.ipv4.ip_local_port_range = 102465000 Net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 Net.ipv4.tcp_synack_retries = 2 Net.ipv4.tcp_syn_retries =