Diagnosis and blocking of SYN flood attacks on Linux server, linuxsyn

Diagnosis and blocking of SYN flood attacks on Linux server, linuxsyn
This article describes how to diagnose and block SYN flood attacks on Linux servers. For more information, see

1. Introduction
SYN Flood is one of the most popular DoS (Denial of Service Attack) and DDoS (Distributed Denial of Service Attack) methods, send a large number of forged TCP connection requests, and send the first handshake packet (SYN Packet) of a massive request connection from a counterfeit IP or IP segment ), the attacked server responds to the second handshake packet (SYN + ACK packet). because the other party is a fake IP address, the other party will never receive the packet and will not respond to the third handshake packet. As a result, the attacked server maintains a large number of "semi-Connections" in the SYN_RECV state and retries to respond to the second handshake packet five times by default, which is full of TCP waiting connection queues, when resources are exhausted (the CPU is full or the memory is insufficient), normal service requests cannot be connected.

The detailed principles are described on the Internet and there are many countermeasures, but most of them have little effect. Here we will introduce how we diagnose and respond to them.

2. Diagnosis
When we saw a sharp drop in the business curve, we checked the machine and DNS and found that the external machine was slow in response, high CPU load, slow ssh Login, and even some machines could not log on. We checked the system syslog:

The Code is as follows:
# Tail-f/var/log/messages
Apr 18 11:21:56 web5 kernel: possible SYN flooding on port 80. Sending cookies.

Check that the number of connections increases, and the number of SYN_RECV connections is particularly high:

The Code is as follows:
# Netstat-n | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print a, S [a]}'
TIME_WAIT 16855
CLOSE_WAIT 21
SYN_SENT 99
FIN_WAIT1 229
FIN_WAIT2 113
ESTABLISHED 8358
SYN_RECV 48965
CLOSING 3
LAST_ACK 313

Based on experience, check the number of connections normally as follows:

The Code is as follows:
# Netstat-n | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print a, S [a]}'
TIME_WAIT 42349
CLOSE_WAIT 1
SYN_SENT 4
FIN_WAIT1 298
FIN_WAIT2 33
ESTABLISHED 12775
SYN_RECV 259
CLOSING 6
LAST_ACK 432

The above are the two main features of TCP flood attacks. Execute netstat-na> specify the file to retain the evidence.

3. Optimized Linux to block SYN flood attacks
If a Linux server suffers SYN flood attacks, perform the following settings:

The Code is as follows:
# Shorten the SYN-Timeout time:
Iptables-a forward-p tcp-syn-m limit-limit 1/s-j ACCEPT
Iptables-a input-I eth0-m limit-limit 1/sec-limit-burst 5-j ACCEPT
# The maximum number of syn packets per second is expressed:
Iptables-N syn-flood
Iptables-a input-p tcp-syn-j syn-flood
Iptables-A syn-flood-p tcp-syn-m limit-limit 1/s-limit-burst 3-j RETURN
Iptables-A syn-flood-j REJECT
# Set syncookies:
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 3072
Sysctl-w net. ipv4.tcp _ synack_retries = 0
Sysctl-w net. ipv4.tcp _ syn_retries = 0
Sysctl-w net. ipv4.conf. all. send_redirects = 0
Sysctl-w net. ipv4.conf. all. accept_redirects = 0
Sysctl-w net. ipv4.conf. all. forwarding = 0
Sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
# PING prevention:
Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
# Blocked specific IP address range:
Iptables-a input-s 10.0.0.0/8-I eth0-j Drop