Help Detect and Prevent SYN Flood Attack

Issue: Websites take a long time to load, or only load some elements of pages, services on the server appear to be extremely slow or unresponsive. CentOS / cPanel server often experiencing SYN flood attacks. Investigation suggests both spoofed IP and direct attacks are being engaged.

Checking to see if requests are in a “SYN_RECEIVED”, the following command will assist:

netstat -tuna | grep :80 | grep SYN_RECV
netstat -tuna | grep :443 | grep SYN_RECV

If above display several connections (in this state); its indicating the server may be under SYN flood attack.

Solution:

If the attack is a direct, with several SYN_RECV packets from a single IP address, you can add that address to the firewall block. If using CSF, the fast comand line syntax would be:

csf -d xxx.xxx.xxx.xxx

To help defend against future attacks, you can edit the sysctl.conf file

nano /etc/sysctl.conf

and add (or edit) the following lines:

# Start SYN attack mitigation
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.conf.all.rp_filter = 1
# End SYN attack mitigation

then restart for the new settings to take effect:

sysctl -p

Use SYN cookies:
net.ipv4.tcp_syncookies = 1
Allows the server to avoid dropping connections when its SYN queue grows. The server will now behave as if the SYN queue is enlarged. The server will send back the SYN+ACK response to the client and will discard the SYN queue entry. If the server still receives a subsequent ACK response from the client, the server is able to reconstruct that SYN queue entry using the information encoded in the TCP sequence number.

Reduce the number of SYN_ACK retries:
net.ipv4.tcp_synack_retries = 3
Changing this kernel parameter causes the kernel to close the SYN_RECV state connection earlier. Default value is 5.

Prevent IP spoofing:
net.ipv4.conf.all.rp_filter = 1
This parameter helps to protect against IP spoofing, also commonly used for SYN flood attacks.

Leave a comment

BlogLogistics