SYN flood attacks (SYN Flooding Attack) are attacks that use the imperfect TCP/IP three-way handshake protocol to maliciously send a large number of packets containing only the SYN handshake sequence. This attack method may cause the attacked computer to refuse or even crash in order to keep the potential connection for a certain period of time and occupy a large amount of system resources and cannot be released. If a Linux server suffers SYN flood attacks, perform the following settings:
# Shorten the SYN-Timeout time:
Iptables-a forward-p tcp-syn-m limit-limit 1/s-j ACCEPT
Iptables-a input-I eth0-m limit-limit 1/sec-limit-burst 5-j ACCEPT
# The maximum number of syn packets per second is expressed:
Iptables-N syn-flood
Iptables-a input-p tcp-syn-j syn-flood
Iptables-A syn-flood-p tcp-syn-m limit-limit 1/s-limit-burst 3-j RETURN
Iptables-A syn-flood-j REJECT
# Set syncookies: www.2cto.com
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 3072
Sysctl-w net. ipv4.tcp _ synack_retries = 0
Sysctl-w net. ipv4.tcp _ syn_retries = 0
Sysctl-w net. ipv4.conf. all. send_redirects = 0
Sysctl-w net. ipv4.conf. all. accept_redirects = 0
Sysctl-w net. ipv4.conf. all. forwarding = 0
Sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
# PING prevention:
Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
# Blocked specific IP address range:
Iptables-a input-s 10.0.0.0/8-I eth0-j Drop