Friday, January 25, 2019

SYN Flooding


Symptoms is this is an increase in number of SYN-RECV states in
netstat. Here is an example for SSH connections.

[...]
tcp    SYN-RECV   0      0      10.147.0.6:22                 144.217.57.63:3082              
tcp    SYN-RECV   0      0      10.147.0.6:22                 104.27.156.179:3082              
tcp    SYN-RECV   0      0      10.147.0.6:22                 104.27.145.254:45914             
tcp    SYN-RECV   0      0      10.147.0.6:22                 104.27.156.179:45914             
tcp    SYN-RECV   0      0      10.147.0.6:22                 103.9.179.158:3082              
tcp    SYN-RECV   0      0      10.147.0.6:22                 103.9.179.151:3082              
tcp    SYN-RECV   0      0      10.147.0.6:22                 103.9.179.158:45914
[...]

Normally, 3-way handshake happens like this.

1. Client sends SYN packet to server
2. Server responds SYN-ACK packet to client
3. Client sends ACK packet to server
 
During SYN-RECV state, client doesn't send back ACK packet. This
maybe an example of SYN flooding a type of malicious attack.

Several kernel parameters can be configured to defend your server.

net.ipv4.tcp_syncookies = 1  --> prevents valid connections from dropping (best param to configure)
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
net.ipv4.conf.all.rp_filter = 1
 

No comments:

Post a Comment