SYN Flood Attacks

binary · April 11, 2006, 9:37pm

We are having huge syn packets to our Debian Sarge server.
We have Mikrotik 2.9. I had tried lots of things but non resolve.

I set two rules to block them but not working well.

chain=forward in-interface=eth2-Telekom dst-address=212.175.229.170 protocol=tcp tcp-flags=syn
dst-limit=1,0,src-and-dst-addresses/10m action=accept

chain=forward in-interface=eth2-Telekom dst-address=212.175.229.170 protocol=tcp tcp-flags=syn action=drop

Rule1 says 10K packets passed, rule2 says 15K packets dropped.

After these rules, there are still syn packets on server, where you can find output @ http://www.yuhhu.com/syn.txt (Hope url working

I will be glad if you can help.

changeip · April 12, 2006, 12:12am

add chain=synflood protocol=tcp limit=400,5
connection-state=new action=return comment=“”
disabled=no

add chain=synflood protocol=tcp connection-state=new
action=drop comment=“” disabled=no

Jump to this chain from your input and forward chains. The first rule allows syn packets, the second rule only activates if the first rule is ‘full’.

Sam

jp1 · April 12, 2006, 1:11am

On your linux server, be sure to enable syn cookies. If it’s compiled into the kernel, /proc/sys/net/ipv4/tcp_syncookies set to 1 enables the feature for combating syn attacks in linux.

binary · April 12, 2006, 7:32am

Thanks for help, I ll try the jump rule.

But isn’t 400 too large? And also restricting access by source and dest. ip via Dst. Limit won’t work?

On linux box, I ve iptables rules;

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:ftp-data:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:50000:50050 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     all  --  laptop.radore.net    anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED

And file /etc/network/options;

ip_forward=no
spoofprotect=yes
syncookies=yes

And Already set 1 in to file /proc/sys/net/ipv4/tcp_syncookies

But linux still gets down on syn attacks.

changeip · April 12, 2006, 7:36am

400 is an arbitrary number that I chose for the example. Actually ours is slightly higher because we see tons of traffic. Remember how a SYN packet works, you can spoof it, so limiting it by source does no good. Most synfloods will use forged IP addresses. A dst limit should be okay I would assume.

binary · April 12, 2006, 10:05am

I am not getting any packets when i set rule connection-state=new

changeip · April 12, 2006, 4:29pm

Are you using connection-tracking ? If so, then maybe the jump rule isn’t passing them to this chain?

Sam

binary · April 12, 2006, 6:13pm

Conn Tracking is not enabled. It consumes too much cpu.

changeip · April 12, 2006, 6:15pm

Yes, to use Connection-State=New its using the connections table. . . you should be able to replace that with the tcp flags of syn.

Sam

chris-oct · April 12, 2006, 6:17pm

Even if you block the SYN flood attack , it can eat all your bandwidth and cost you downtime or money. Nasty, nasty stuff..

changeip · April 12, 2006, 7:21pm

Yes, tell me about it : ) We saw 180mbps of spoofed synflood last week. Not fun.

Sam