The SYN (TCP connection request) attack is a common denial of service (DoS) technique.
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
[root@server ~]# netstat -anp | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 10.209.4.1
1 10.21.1.16
1 108.60.195.222
1 123.108.40.2
1 128.103.208.29
1 132.3.57.18
1 132.3.57.19
1 164.89.253.5
1 168.95.6.67
1 176.74.176.167
1 184.172.236.145
1 195.50.106.142
1 198.187.135.180
1 198.187.29.15
1 199.36.20.130
1 202.108.3.242
1 202.96.125.100
1 204.232.236.212
1 206.29.177.243
1 207.115.20.20
1 207.115.37.20
1 207.115.37.21
1 207.126.147.13
1 207.46.163.30
1 207.69.189.43
1 208.237.111.8
1 208.65.144.12
1 208.65.144.13
1 208.80.206.77
1 209.240.204.25
1 212.159.9.200
1 213.199.180.150
1 216.114.114.147
1 216.146.33.1
1 216.178.66.140
1 216.196.206.62
1 216.32.180.22
1 216.70.64.121
1 216.82.253.227
1 216.9.248.34
1 216.99.131.20
1 220.181.12.53
1 223.165.24.11
1 38.111.141.32
1 58.87.2.68
1 60.28.2.248
1 62.141.94.151
1 64.12.90.34
1 64.18.5.14
1 64.18.6.11
1 64.18.7.10
1 64.18.7.11
1 64.211.58.30
1 64.95.72.242
1 65.55.37.104
1 66.175.131.75
1 66.199.16.131
1 66.38.0.206
1 67.18.18.106
1 67.69.240.17
1 67.69.240.20
1 69.84.129.233
1 71.74.56.244
1 74.125.141.27
1 74.205.4.13
1 75.126.136.141
1 75.180.132.244
1 77.238.177.9
1 83.138.65.71
1 96.56.31.82
1 Address
1 and
1 (servers
1 State
2 10.209.4.2
2 202.96.125.101
2 64.18.4.10
2 64.98.36.4
2 72.167.238.201
2 74.125.25.27
2 75.180.132.243
4 71.74.56.243
16 10.200.1.11
22
26 0.0.0.0
29 ]
212 DGRAM
278 STREAM
[root@server ~]#
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
How many active connections your server is currently processing.
[root@server ~]#netstat -n | grep :80 |wc -l 4
[root@server ~]# netstat -n | grep :80
tcp 0 0 10.21.1.16:38991 10.201.13.50:80 ESTABLISHED
tcp 0 0 10.21.1.16:41877 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41884 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41881 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41885 10.201.13.50:80 ESTABLISHED
The above commend will show the number of active connections that are open to your server. If you are much above 500 you are probably having problems.
Try this command to reduce syn attack
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Add rules in iptables file
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Finally save and restart the iptables.
# /etc/init.d/iptables save
# /etc/init.d/iptables save
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
- The client requests a connection by sending a
SYN(synchronize) message to the server. - The server acknowledges this request by sending
SYN-ACKback to the client. - The client responds with an
ACK, and the connection is established.
[root@server ~]# netstat -anp | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 10.209.4.1
1 10.21.1.16
1 108.60.195.222
1 123.108.40.2
1 128.103.208.29
1 132.3.57.18
1 132.3.57.19
1 164.89.253.5
1 168.95.6.67
1 176.74.176.167
1 184.172.236.145
1 195.50.106.142
1 198.187.135.180
1 198.187.29.15
1 199.36.20.130
1 202.108.3.242
1 202.96.125.100
1 204.232.236.212
1 206.29.177.243
1 207.115.20.20
1 207.115.37.20
1 207.115.37.21
1 207.126.147.13
1 207.46.163.30
1 207.69.189.43
1 208.237.111.8
1 208.65.144.12
1 208.65.144.13
1 208.80.206.77
1 209.240.204.25
1 212.159.9.200
1 213.199.180.150
1 216.114.114.147
1 216.146.33.1
1 216.178.66.140
1 216.196.206.62
1 216.32.180.22
1 216.70.64.121
1 216.82.253.227
1 216.9.248.34
1 216.99.131.20
1 220.181.12.53
1 223.165.24.11
1 38.111.141.32
1 58.87.2.68
1 60.28.2.248
1 62.141.94.151
1 64.12.90.34
1 64.18.5.14
1 64.18.6.11
1 64.18.7.10
1 64.18.7.11
1 64.211.58.30
1 64.95.72.242
1 65.55.37.104
1 66.175.131.75
1 66.199.16.131
1 66.38.0.206
1 67.18.18.106
1 67.69.240.17
1 67.69.240.20
1 69.84.129.233
1 71.74.56.244
1 74.125.141.27
1 74.205.4.13
1 75.126.136.141
1 75.180.132.244
1 77.238.177.9
1 83.138.65.71
1 96.56.31.82
1 Address
1 and
1 (servers
1 State
2 10.209.4.2
2 202.96.125.101
2 64.18.4.10
2 64.98.36.4
2 72.167.238.201
2 74.125.25.27
2 75.180.132.243
4 71.74.56.243
16 10.200.1.11
22
26 0.0.0.0
29 ]
212 DGRAM
278 STREAM
[root@server ~]#
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
How many active connections your server is currently processing.
[root@server ~]#netstat -n | grep :80 |wc -l 4
[root@server ~]# netstat -n | grep :80
tcp 0 0 10.21.1.16:38991 10.201.13.50:80 ESTABLISHED
tcp 0 0 10.21.1.16:41877 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41884 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41881 10.201.13.50:80 TIME_WAIT
tcp 0 0 10.21.1.16:41885 10.201.13.50:80 ESTABLISHED
The above commend will show the number of active connections that are open to your server. If you are much above 500 you are probably having problems.
Try this command to reduce syn attack
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Add rules in iptables file
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Finally save and restart the iptables.
# /etc/init.d/iptables save
# /etc/init.d/iptables save
No comments:
Post a Comment