BestDesigns.Co.in

The SYN (TCP connection request) attack is a common denial of service (DoS) technique.

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.

How to check the SYN attack on  the server.

A quick and useful command for checking if a server is under ddos:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

Solution:

First go with

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

and then

Try with all these IPtables rule , there may other attacks too.

iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP

then,

service iptables save
service iptables restart

it should resolve your issue.

DDOS, or Distributed Denial of Service is an advanced version of DOS(Denial of Service) attack. Like DOS, DDOS also tries to deny important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it.

There is no 100% perfect solution for DDOS. We can just prevent it to certain extend by securing our networks and servers. Here I am trying to explain the DDOS on HTTP, which is common in the webhosting Industry.

When you see your server load is increasing, it can be a result of DDos attacks to your server. You may use the command “w” to find the load in the server. If the load is not quite normal (Say above 5), you may check the following steps to see if a DDoS attack is going on.

Following command will give you a sorted list of IP addresses that are being connected to the server at port 80.

netstat -plan |grep :80 | awk ‘{print $5}’ |cut -d: -f1 |sort |uniq -c |sort -n

The result of the above command will list all IP addresses that are connected to the server on port 80. It will also show the number of connections of each IP addresses. A value below 10 is acceptable. That is there is not a problem with http connections to the server.  If you find any IP addresses are having a large number of connections (Say 50), it should be double checked. It is always good to block the IP addresses in question. We ignore this and it may lead your server to go down!

You can use the following command to block the IP address.