Manivel: February 2013

The SYN (TCP connection request) attack is a common denial of service (DoS) technique.
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

The client requests a connection by sending a SYN (synchronize) message to the server.
The server acknowledges this request by sending SYN-ACK back to the client.
The client responds with an ACK, and the connection is established.

How to check the SYN attack on the server.
[root@server ~]# netstat -anp | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 10.209.4.1
1 10.21.1.16
1 108.60.195.222
1 123.108.40.2
1 128.103.208.29
1 132.3.57.18
1 132.3.57.19
1 164.89.253.5
1 168.95.6.67
1 176.74.176.167
1 184.172.236.145
1 195.50.106.142
1 198.187.135.180
1 198.187.29.15
1 199.36.20.130
1 202.108.3.242
1 202.96.125.100
1 204.232.236.212
1 206.29.177.243
1 207.115.20.20
1 207.115.37.20
1 207.115.37.21
1 207.126.147.13
1 207.46.163.30
1 207.69.189.43
1 208.237.111.8
1 208.65.144.12
1 208.65.144.13
1 208.80.206.77
1 209.240.204.25
1 212.159.9.200
1 213.199.180.150
1 216.114.114.147
1 216.146.33.1
1 216.178.66.140
1 216.196.206.62
1 216.32.180.22
1 216.70.64.121
1 216.82.253.227
1 216.9.248.34
1 216.99.131.20
1 220.181.12.53
1 223.165.24.11
1 38.111.141.32
1 58.87.2.68
1 60.28.2.248
1 62.141.94.151
1 64.12.90.34
1 64.18.5.14
1 64.18.6.11
1 64.18.7.10
1 64.18.7.11
1 64.211.58.30
1 64.95.72.242
1 65.55.37.104
1 66.175.131.75
1 66.199.16.131
1 66.38.0.206
1 67.18.18.106
1 67.69.240.17
1 67.69.240.20
1 69.84.129.233
1 71.74.56.244
1 74.125.141.27
1 74.205.4.13
1 75.126.136.141
1 75.180.132.244
1 77.238.177.9
1 83.138.65.71
1 96.56.31.82
1 Address
1 and
1 (servers
1 State
2 10.209.4.2
2 202.96.125.101
2 64.18.4.10
2 64.98.36.4
2 72.167.238.201
2 74.125.25.27
2 75.180.132.243
4 71.74.56.243
16 10.200.1.11
22
26 0.0.0.0
29 ]
212 DGRAM
278 STREAM
[root@server ~]#
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
How many active connections your server is currently processing.
[root@server ~]#netstat -n | grep :80 |wc -l                                                                                  4
[root@server ~]# netstat -n | grep :80
tcp        0      0 10.21.1.16:38991        10.201.13.50:80         ESTABLISHED
tcp        0      0 10.21.1.16:41877        10.201.13.50:80         TIME_WAIT
tcp        0      0 10.21.1.16:41884        10.201.13.50:80         TIME_WAIT
tcp        0      0 10.21.1.16:41881        10.201.13.50:80         TIME_WAIT
tcp        0      0 10.21.1.16:41885        10.201.13.50:80         ESTABLISHED
The above commend will show the number of active connections that are open to your server. If you are much above 500 you are probably having problems.
Try this command to reduce syn attack
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Add rules in iptables file
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Finally save and restart the iptables.
       # /etc/init.d/iptables save
      # /etc/init.d/iptables save

Manivel

Saturday, 23 February 2013

How to clear cache memory and set cron job on Linux server

To clear cache memory use following command as user root in Terminal

Tuesday, 12 February 2013

How to check syn attack on linux server