Defending against a SYN-Flood Attack

What is a SYN-flood attack ?

A SYN-flood attack is a denial-of-service attack where the attacker send a huge amount of please-start-a-connection packets and then nothing else.

CERT has a good and detailed description.

How do I defend my Linux server ?

To defend a Linux server that only has a moderate load, just turn on TCP syncookies when compiling the kernel and activate them in the /proc filesystem. That's all you need to do to be reasonably safe.

Choose HELP when activating the kernel option to get all the details.

The problem starts when the additional load introduced by generating syncookies is too much for a very busy server.

How to I find the attacker ?

To find the attacker is from very hard to impossible, because usually the sender address in the SYN flood packets are faked ("spoofed") and don't point to the real sender.

You might however gain a few clues by writing all SYN packets to a log file. That log will include all legitimate connections opened to your server along with the SYN attack packets.

One tool to write such a log on Linux is SYNWatch by Jeff Thompson, which I have modified slightly.


Last updated: 19. Nov 2013
Page maintained by Jan Willamowius
Imprint/Impressum · Privacy/Datenschutz
English: Home | Linux | Perl | Java | Eiffel | Books | Music | Jan Willamowius | Updates | Site Map
Deutsch: Home | Badminton | ISBN-Suche | Musik-Suche | Rezepte | Jan Willamowius