[ILUG] SYN flood protection
Ciaran Johnston
cj at nologic.org
Mon Nov 1 11:28:55 GMT 2010
Hi folks,
Thanks for all the replies on the subject, some of which pointed out some
useful tools I hadn't been aware of before. Ultimately none of them were
any use in this particular attack, which is still ongoing. However I did
manage to set up nginx as a proxy for apache and it seems to be able to
handle the SYN requests and pass on valid requests to Apache listening on
a different port.
I did manage to get some iptables rules working which nearly managed to
quell the invalid SYNs while allowing real requests through, but it was
fairly flakey.
Thanks and regards,
Ciaran.
Daragh MacLoughlin wrote:
> Try: http://www.configserver.com/cp/csf.html
>
> Regards,
>
> Daragh
>
> On Fri, Oct 29, 2010 at 12:30 PM, ajh <ajh at devfoo.net> wrote:
>> On Fri, Oct 29, 2010 at 12:03 PM, Kieran Tully <kieran.tully at gmail.com>
>> wrote:
>>>
>>> At http://deflate.medialayer.com/ there is a script called DDoS-Deflate
>>>
>>> It adds iptables rules to blackhole machines that make more connections
>>> than
>>> the threshold. It's a little bit rough around the edges, but if it
>>> manages to
>>> understand the output of netstat on your system, it does work quite
>>> well. It
>>> costs relatively little to block a host.
>>
>> I don't know if DDoS-Deflate counts connections in SYN_RECV to
>> blacklist but someone could craft a SYN packet with a spoofed IP of an
>> upstream router and have your device blacklist itself off the
>> Internet. Hopefully it is has a way of whitelisting IPs.
>> --
>> Irish Linux Users' Group mailing list
>> About this list : http://mail.linux.ie/mailman/listinfo/ilug
>> Who we are : http://www.linux.ie/
>> Where we are : http://www.linux.ie/map/
>>
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/
>
More information about the ILUG
mailing list