SYN only packets

Ruben Cardenal ruben at
Fri Aug 5 07:22:53 CEST 2005


> The plan i'm looking at is possibly blocking all packets with SYN alone,
> no ACK.. would this be possible with iptables, and how would this affect
> other web services?

  The main problem with SYN dos's is the fact that, if is big enough, eats
machine resources, no matter what you can do at layer 3, it beats you down
at layer 1, cos every time the nic receives a packet, generates an
interrupt, and if you are receiving > 100.000 pps, simply your system
collapses in a few seconds. Against that, but not yet well implemented in
Linux, you can use polling (as, for example, freebsd can do), but this still
won't save you if the attack is big enough. Your only solution is then
asking your uplink to ratelimit the amount of syn per second arriving to


- Ruben

