DoS attacks are an eternal problem. Although professional firewall and Server Load balancer gateway devices can effectively defend against DoS attacks, however, hackers prefer the combination of x86 + GNU/Linux for the simple reason: cheap enough.
The new feature of SYNPROXY was finally added to Linux kernel 3.13. This module is a link-tracking-based netfilter extension, the main task is to mark the initial SYN packet from the client as UNTRACKED and then directly import the "SYNPROXY" action of iptables (similar to ACCEPT, NFQUEUE, and DROP ), at this time, the kernel will assume the role of the gateway device and continue the TCP regular handshake process with the client. SYNPROXY will wait until the final ACK (three-way handshake) after the cookie is verified to be valid, the package will start to enter the target end.
Data from the developer Jesper Dangaard Brouer shows that SYNPROXY is very effective against syn flood dos attacks. Today, I also tested SYNPROXY DoS In Debian and SLES-12-beta2, the general result is that hping3 and metasploit are used for testing. After SYNPROXY is enabled, ksoftirq usage will be reduced from 8% to 3%.