Mon. Jul 13th, 2020

How to prevent SYN flood attacks in Linux

1 min read

SYN flooding attack refers to an attack method that uses the imperfect TCP/IP three-way handshake and maliciously sends a large number of packets that contain only the SYN handshake sequence. This kind of attack method may cause the attacked computer to deny service or even crash in order to keep the potential connection occupying a large number of system resources and unable to complete the three-way handshake. If you suffer an SYN flood attack under a Linux server, you can set up the following:

DDoS Research Report

Reduce SYN- Timeout time:

iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit –limit 1/sec –limit-burst 5 -j ACCEPT

Up to 3 syn packets per second

iptables -N syn-flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -A syn-flood -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT

sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=3072
sysctl -w net.ipv4.tcp_synack_retries=0
sysctl -w net.ipv4.tcp_syn_retries=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

Prevent Ping command

sysctl -w net.ipv4.icmp_echo_ignore_all=1

Block specific IP ranges

iptables -A INPUT -s 192.168.1.1/8 -i eth0 -j Drop