Identify and fix SYN attack

Identifying SYN attack

Load becomes very inconcistant
netstat -an | grep SYN (if long list SYN_REC)
netstat -n -p|grep SYN_REC|wc -l (gives count of SYN attacks)
also checking acces_logs (if perticular IP found to be requesting most
then can block that IP)

Yyou can go for below
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
netstat -an | grep SYN | more

iptables -A INPUT -s IP -j DROP

iptables -A INPUT -s -j DROP

iptables restart

Look for this lines in your /etc/httpd/conf/httpd.conf

# KeepAlive: Whether or not to allow persistent connections (more than
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
KeepAliveTimeout 15
Set KeepAlive On to Off with your favorite text editor
that should work, if not you may be a victim of DoS attack


echo 90 > /proc/sys/net/ipv4/tcp_keepalive_time

Share on Twitter
Share on Facebook




Friday November 27th starts at 9am EST.
While supplies last!