Let the Linux operating system prevent syn attacks-Linux Enterprise Application-Linux server application information. The following is a detailed description. VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDOS attacks. By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.
Anti-SYN flood uses the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections, eventually, the network queue of the attacked server is full and cannot be accessed by normal users.
The Linux Kernel provides several SYN-related configurations. Run the following command: sysctl-a | grep syn:
Net. ipv4.tcp _ max_syn_backlog = 1024 net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5 net. ipv4.tcp _ syn_retries = 5
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of SYN. Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.
To adjust the preceding settings, follow these steps:
Increase the SYN queue length to 2048:
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 2048
Enable the syn cookie function:
Sysctl-w net. ipv4.tcp _ syncookies = 1
Reduce the number of retries:
Sysctl-w net. ipv4.tcp _ synack_retries = 3 sysctl-w net. ipv4.tcp _ syn_retries = 3
To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. local file.
Sync Flood Prevention)
# Iptables-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
Some people write
# Iptables-a input-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
-- Limit 1/s limits the number of syn concurrencies to 1 per second, which can be modified as needed
Prevents various port scans
# Iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, RST-m limit -- limit 1/s-j ACCEPT
Ping flood attack (Ping of Death)
# Iptables-a forward-p icmp -- icmp-type echo-request-m limit -- limit 1/s-j ACCEPT
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
