How to prevent SYN flood attacks in Linux
SYN flooding attack refers to an attack method that uses the imperfect TCP/IP three-way handshake and maliciously sends a large number of packets that contain only the SYN handshake sequence. This kind of attack method may cause the attacked computer to deny service or even crash in order to keep the potential connection occupying a large number of system resources and unable to complete the three-way handshake. If you suffer an SYN flood attack under a Linux server, you can set up the following:
Reduce SYN- Timeout time:
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit –limit 1/sec –limit-burst 5 -j ACCEPT
Up to 3 syn packets per second
iptables -N syn-flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -A syn-flood -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=3072
sysctl -w net.ipv4.tcp_synack_retries=0
sysctl -w net.ipv4.tcp_syn_retries=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
Prevent Ping command
sysctl -w net.ipv4.icmp_echo_ignore_all=1
iptables -A INPUT -s 192.168.1.1/8 -i eth0 -j Drop