How to Stop SSYN attack ?

[jure12]

I found on one webpage ways to reduce SSYN DDos attack.

This file can be found in /etc/sysctl.conf
I think the most important value you can set to secure your TCP connection is:
net.ipv4.tcp_syncookies=1

Another thing you can do is reduce the timeout value from 60 to 30 seconds, this is not TCP standard at all to do that, but at least, the connection refresh will be faster than default.

Note: keep in mind this reduce impact of SYN flooding, it will not stop them completly. Make sure you dont set this value too low overwise it could create TCP loss packet situation.
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30

Last thing you can make, is to create Iptables entry to limit them on your server.
# create new chains
iptables -N syn-flood

# limits incoming packets
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN

# log attacks
iptables -A syn-flood -j LOG --log-prefix "SYN flood: "

# silently drop the rest
iptables -A syn-flood -j DROP


Does someone have a better way to reduce SYYN / ESSYN DDos attack ?
And another question I have. Where I have to make Iptables entry to limit them on your server? Does the same file "sysctl.conf" ?

 

[Loonycgb2]

Sysctl.conf is the actual OS limits of network configurations.

You would need to use iptable to null any packets in different situations.
What you explained above would help towards not having network congestion meaning block all connections when it has filled up its open spaces.

Its hard to explain the best situation and fixes because some have so many ip's flooding you that you can only limit the amount of connections like above to save your server from network death.

Or limit iptables to null route any ip's connections when it has hit x amount of times per x seconds.

iptables configurations are in the iptables.conf and/or made by the ssh command ~$ iptables blah blah

 

[jure12]

iptables configurations are in the iptables.conf and/or made by the ssh command ~$ iptables blah blah

How I understands, this part:

[B][COLOR=#666666][FONT=courier new]# create new chains[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -N syn-flood[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# limits incoming packets[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# log attacks[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -j LOG --log-prefix "SYN flood: "[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# silently drop the rest[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -j DROP[/FONT][/COLOR][/B]

means that part I have to put in file "iptables.conf" ?

 

[onel0ve]

iptables configurations are in the iptables.conf and/or made by the ssh command ~$ iptables blah blah

How I understands, this part:

[B][COLOR=#666666][FONT=courier new]# create new chains[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -N syn-flood[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# limits incoming packets[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# log attacks[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -j LOG --log-prefix "SYN flood: "[/FONT][/COLOR]

[COLOR=#666666][FONT=courier new]# silently drop the rest[/FONT][/COLOR]
[COLOR=#666666][FONT=courier new]iptables -A syn-flood -j DROP[/FONT][/COLOR][/B]

means that part I have to put in file "iptables.conf" ?

Just apply those command from SSh directly .