Your Webhosting Questions
Answered by the Webhosting Experts

Identify and fix SYN attack

Identifying SYN attack

Load becomes very inconcistant
netstat -an | grep SYN (if long list SYN_REC)
netstat -n -p|grep SYN_REC|wc -l (gives count of SYN attacks)
also checking acces_logs (if perticular IP found to be requesting most
then can block that IP)

Yyou can go for below
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
netstat -an | grep SYN | more

iptables -A INPUT -s IP -j DROP

iptables -A INPUT -s -j DROP

iptables restart

Look for this lines in your /etc/httpd/conf/httpd.conf

# KeepAlive: Whether or not to allow persistent connections (more than
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
KeepAliveTimeout 15
Set KeepAlive On to Off with your favorite text editor
that should work, if not you may be a victim of DoS attack


echo 90 > /proc/sys/net/ipv4/tcp_keepalive_time

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your account and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your account or if you are on the go, please reach out from your valid account email to us here at: [email protected]. We are also available to you through our phone and live chat system 24/7/365.

Tags +