[Gllug] SYN Flooding - Please Help

Russell Howe rhowe at siksai.co.uk
Fri May 27 10:51:06 UTC 2005


On Fri, May 27, 2005 at 11:26:05AM +0100, wendy carr wrote:
> hi, I am getting loads of SYN requests on port 80. My
> Could some one suggest a way to block these attack?

You can't really. Contact your upstream provider if you can, and see if
they can do anything about it - they might be able to do per-host SYN
rate limiting or something.

Also, make sure you have syncookies enabled. This won't reduce the
bandwidth used by the flood, but it should allow your server to process
the SYN packets more efficiently, and keep performance somewhat sane.

In Debian, edit /etc/network/options and change syncookies=no to
syncookies=yes

Then a /etc/init.d/networking reload should set this (although it may
not - I haven't checked).

Otherwise, you can do it via sysctl or by echo'ing to something in
/proc/sys/net I think (that's the kind of thing Debian's scripts do for
me).

/proc/sys/net/ipv4/tcp_syncookies looks to be the file, so you can do

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

But it won't stick across reboots.

> or anything else i can do to pin point the attack?
> Thanks very much,

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list