Tuesday, January 06, 2009

Protecting from a DDOS SYN FLOOD on port 80 (Apache, Ubuntu)

Other keywords: SYN_RECV, TIME_WAIT

sysctl -w net.ipv4.tcp_synack_retries="1"
sysctl -w net.ipv4.tcp_max_syn_backlog="40000"
sysctl -w net.ipv4.netfilter.ip_conntrack_max="200000"
sysctl -w net.ipv4.tcp_fin_timeout="3"

/sbin/iptables -A INPUT -i eth2 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth2 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth2 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
(you can ignore the iptables part, probably doesn't help that much)

In Apache, increase the maximum number of concurrent connections.

I also learned that while in theory putting a squid in reverse proxy on port 80 to protect the Apache behind it is a good idea, squid sucks at it.

Oh, I almost forgot. Make sure syn_cookies is active (if you kernel supports it):
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Google is your friend for further details on the above settings.

More:
http://tools.ietf.org/html/rfc4987#section-3.5
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

1 comment:

Unknown said...

TimeOut 1 or lower is also needed in apache conf.