OVH Community, your new community space.

Possible SYN flooding on port 80. Sending c


cyclo
16-01-2013, 07:48
After doing some more research, I have added the following to /etc/sysctl.conf

Code:
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

cyclo
16-01-2013, 07:18
Hello. Recently I've been having trouble with people attacking my server, this is the second time this has happened and it brings my entire server down, forcing OVH to do a reboot.

Heres a snipet from the log:

Code:
Jan 16 01:16:38 saladfingerz kernel: TCP: Possible SYN flooding on port 80. Sending cookies.  Check SNMP counters.
Jan 16 01:17:27 saladfingerz kernel: net_ratelimit: 12 callbacks suppressed
Jan 16 01:17:32 saladfingerz kernel: net_ratelimit: 3 callbacks suppressed
Jan 16 01:17:38 saladfingerz kernel: net_ratelimit: 2 callbacks suppressed
Jan 16 01:17:46 saladfingerz kernel: net_ratelimit: 4 callbacks suppressed
Jan 16 01:17:53 saladfingerz kernel: net_ratelimit: 4 callbacks suppressed
Jan 16 01:17:59 saladfingerz kernel: net_ratelimit: 1 callbacks suppressed
Jan 16 01:20:38 saladfingerz kernel: net_ratelimit: 9 callbacks suppressed
Jan 16 01:20:46 saladfingerz kernel: net_ratelimit: 15 callbacks suppressed
... hundreds more
The first time this happened, I added the following rule to iptables: (found this with a quick google search)

Code:
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
I also added

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
This clearly isn't working. I'm not an expert with iptables by any means. Any help I can get to secure my server a little more and stop these kind of attacks would be appreciated!