Defending against a SYN-Flood Attack
What is a SYN-flood attack ?
A SYN-flood attack is a denial-of-service attack where the attacker send a huge amount of please-start-a-connection packets and then nothing else.
CERT has a good and detailed description.
How do I defend my Linux server ?To defend a Linux server that only has a moderate load, just turn on TCP syncookies when compiling the kernel and activate them in the /proc filesystem. That's all you need to do to be reasonably safe.
Choose HELP when activating the kernel option to get all the details.
The problem starts when the additional load introduced by generating syncookies is too much for a very busy server.
How to I find the attacker ?To find the attacker is from very hard to impossible, because usually the sender address in the SYN flood packets are faked ("spoofed") and don't point to the real sender.
You might however gain a few clues by writing all SYN packets to a log file. That log will include all legitimate connections opened to your server along with the SYN attack packets.
One tool to write such a log on Linux is SYNWatch by Jeff Thompson, which I have modified slightly.
Last updated: 24. Apr 2009|
Page maintained by Jan Willamowius
Imprint/Impressum · Privacy/Datenschutz
Deutsch: Home | Badminton | ISBN-Suche | Musik-Suche | Rezepte | Jan Willamowius