Symptoms is this is
an increase in number of SYN-RECV states in
netstat. Here is an example for SSH connections.
[...]
netstat. Here is an example for SSH connections.
[...]
tcp SYN-RECV
0 0 10.147.0.6:22 144.217.57.63:3082
tcp SYN-RECV
0 0 10.147.0.6:22 104.27.156.179:3082
tcp SYN-RECV
0 0 10.147.0.6:22 104.27.145.254:45914
tcp SYN-RECV
0 0 10.147.0.6:22 104.27.156.179:45914
tcp SYN-RECV
0 0 10.147.0.6:22 103.9.179.158:3082
tcp SYN-RECV
0 0 10.147.0.6:22 103.9.179.151:3082
tcp SYN-RECV
0 0 10.147.0.6:22 103.9.179.158:45914
[...]
Normally, 3-way
handshake happens like this.
1. Client sends SYN
packet to server
2. Server responds SYN-ACK packet to client
3. Client sends ACK packet to server
2. Server responds SYN-ACK packet to client
3. Client sends ACK packet to server
During SYN-RECV
state, client doesn't send back ACK packet. This
maybe an example of SYN flooding a type of malicious attack.
maybe an example of SYN flooding a type of malicious attack.
Several kernel
parameters can be configured to defend your server.
net.ipv4.tcp_syncookies
= 1 -->
prevents valid connections from dropping (best param to configure)
net.ipv4.tcp_max_syn_backlog
= 2048
net.ipv4.tcp_synack_retries
= 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
net.ipv4.conf.all.rp_filter
= 1
No comments:
Post a Comment