SYN only packets

Derick Anderson danderson at vikus.com
Fri Aug 5 16:26:10 CEST 2005


Be careful rate-limiting SYNs too much as you can (ironically) degrade
performance quite a bit. I would set a high burst limit and a reasonable
average limit. I mention this because I did some SYN-limiting on a
firewall once and while it protected me from DDoS attacks it also slowed
down Apache somewhat.

You may be better served attempting to identify SYN floods from specific
hosts (-m recent?) and dropping those connections...

Derick Anderson

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Grant Taylor
Sent: Friday, August 05, 2005 1:51 AM
To: James Harrison
Cc: netfilter at lists.netfilter.org
Subject: Re: SYN only packets

Try taking a look at SYN-Cookies in the Linux kernel.  This code was
written explicitly for this type of situation.

You can not stop SYN packets as they are the very first packet in the
three way handshake to start a TCP connection.  About all you can do
(other than SYN-Cookies) is to rate limit the number of packets per
source IP.



Grant. . . .

James Harrison wrote:

> Hi,
>
> I've been trying to calm down some DDoS attacks on my server, but i've

> been stymied on how to block them- however, as APF's AntiDOS plugin 
> captured and reported to root, the really vigorous ones (The ones it
> catches) have no ACK in their headers. SYN, but no ACK. I've read that

> this is a common technique used by DDoSers, but i'm unsure if anything

> else depends on it.
>
> The plan i'm looking at is possibly blocking all packets with SYN 
> alone, no ACK.. would this be possible with iptables, and how would 
> this affect other web services?
>
> Here's one of the captured packet messages (MAC/IPs are removed
> obviously)
>
> Aug  4 21:02:30 ukdsl21 kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=**
> SRC=** DST=** LEN=48 TOS=0x04 PREC=0x00 TTL=116 ID=53191 DF PROTO=TCP
> SPT=4122 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0 OPT 
> (020405B401010402)
>
>
> Any ideas?
>
> Sorry if this sounds completely barmy- if it does, do tell :-)
>
> Thanks in advance,
> James Harrison
>





More information about the netfilter mailing list