Possible SYN Flooding on Port 80. Sending Cookies
“possible SYN flooding on port 80. Sending cookies.” is what I came into on Monday of this week on our web server. With the site crawling and being driven to its knees, I needed to figure out the best way to stop this attack. Here’s what I came up with…
First turn off net.ipv4.tcp_syncookies ( I know this is supposed to help but it caused more harm then good )
sysctl -w net.ipv4.tcp_syncookies=0
Next I wrote this small script to block hosts with more then 15 SYN_RECV requests using iptables.
#!/bin/bash
i=0
while [ $i -eq 0 ]
do
netstat -n --tcp --udp --numeric-hosts | grep SYN_REC | awk '{if (/(tcp|udp)/) { print $5 }}' | sed 's/:.*//' | sort | uniq -c | awk '{ if ($1 > 15) { print $2 "#" $1; }}' | while read line; do if [ `echo $line | sed 's/#.*//' | egrep -c -f ips` != "1" ];then iptables -A INPUT -s `echo $line | sed 's/#.*//'` -j DROP; echo $line | sed 's/#.*//' >> ips; fi; done
sleep 2
done
In a matter of about 15 minutes things started to act normal. I would probably re-enable net.ipv4.tcp_syncookies after a few days only because it logs the attack so it’s easier to identify.
