Sunday, April 17, 2005

Defending your Linux box against SYN flood attacks

Make sure you do not allow directed broadcast messages from the Internet.

There are two types of defense against DDoS attacks. Defending against a flood and keeping zombies off your system. Make sure your system is up-to-date with all your hardware and software. You also must employ egress anti-spoof filters on your external router or firewall. Since DoS attacks almost always involve some spoofed packets, egress anti-spoof filters help a lot.

The best defense I know of against an attack is fast detection and the ability to get the incident response forces moving at your ISP. You need to employ IDS tools that can quickly alert you when a DDOS attack starts. When you are alerted, you should immediately call a member of the incident response team of your ISP. They will be able to block the flood traffic at the points where it enters their network.

SYN flooding defense can be helped by having larger connection queues and SYN cookies. SYN cookies can be activated on a Linux machine by adding echo 1 > /proc/sys/net/ipv4/tcp_syncookies to your boot sequence. Also, a Linux machine can be configured as a proxy firewall that will add SYN cookie protection to an entire network. To do this visit However, if a flood attack does occur, you will need to quickly redirect critical traffic through another path, so redundant communication links are required. Another good idea would be to have 2 or more different ISP's for particularly sensitive systems.
A list of different vendor approaches and patches to this can be found at .

It would also be a good idea to create static ARP tables on your most sensitive networks to make sure no one can alter IP-to-MAC address mappings on your LANS. Although this will make managing the network more difficult, it is a good idea.

If you suspect one of your systems has been compromised and is running a zombie, check out the free tool called "Find DDOS" distributed by the National Infrastucture Protection Center. This will scan your Linux and Solaris systems.
Also, if you find a zombie you can put them to sleep with Zombie Zapper at

I would also disallow ICMP Echo Replies. It is usually allowed so that inside users can ping outside of the network and receive a response. This MUST be checked.

You can test your network to see if it can/is being used as a Smurf amplifier by visiting and use their online form to test your system.
If your network is vulnerable, you must stop directed broadcast packets at your border router or firewall.

> hi,
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> or
> # Enable TCP SYN Cookie Protection
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> are there the same or not ???

Totally different. The first limits your system to an connection rate of 1
connect per second, this will affect users if you have a heavyly used
server, therwise it will prevent system overload by connects. If the main
purpose of your system is not serving connections, the rate limit does help
to limit the affect of connection flooding.

The second one is more specifically aimed towards syn floods and will not
impact normal operations, cause syn cookies are only used if ressources get
used up by a syn flood.

If you use syn cookies, make sure to observe your kernels log and make sure
that kernel is not sending syn cookies in normal load situations, cause this
will decrease the TCP performance of the clients. There are parameters to
tune, to make kernel wait longer before syn cookies are enabled. on small
sized servers you do not need to tune this setting.
Post a Comment