Prevent syn floods [SYN_RECV] attack on Linux (cPanel) Server

Deixe um comentário / Apache2, iptables / Por

revent syn floods [SYN_RECV] attack on Linux (cPanel) Server

One of my Linux Server (Cent OS, cPanel) is under syn floods Attacks come from different spoofed ip addresses and ports as below logs.

root@yes [~]# netstat -n -p | grep SYN_REC | sort -u
tcp 0 0 66.7.221.78:80 109.230.222.43:19324 SYN_RECV –
tcp 0 0 66.7.221.78:80 109.243.238.214:51875 SYN_RECV –
tcp 0 0 66.7.221.78:80 109.243.238.214:51877 SYN_RECV –
tcp 0 0 66.7.221.78:80 109.243.238.214:51881 SYN_RECV –
tcp 0 0 66.7.221.78:80 109.67.0.116:1864 SYN_RECV –
tcp 0 0 66.7.221.78:80 110.138.179.58:2130 SYN_RECV –
tcp 0 0 66.7.221.78:80 110.138.179.58:2588 SYN_RECV –
tcp 0 0 66.7.221.78:80 110.138.179.58:2986 SYN_RECV –
tcp 0 0 66.7.221.78:80 110.138.179.58:3162 SYN_RECV –
tcp 0 0 66.7.221.78:80 110.138.179.58:3296 SYN_RECV –
tcp 0 0 66.7.221.78:80 117.200.155.197:3742 SYN_RECV –
tcp 0 0 66.7.221.78:80 117.200.155.197:4116 SYN_RECV –
tcp 0 0 66.7.221.78:80 118.175.74.56:44640 SYN_RECV –
tcp 0 0 66.7.221.78:80 118.175.74.56:44663 SYN_RECV –
tcp 0 0 66.7.221.78:80 118.175.74.56:60025 SYN_RECV –
tcp 0 0 66.7.221.78:80 118.96.143.54:49278 SYN_RECV –
tcp 0 0 66.7.221.78:80 119.148.10.218:49468 SYN_RECV –
tcp 0 0 66.7.221.78:80 122.164.96.85:2034 SYN_RECV –
tcp 0 0 66.7.221.78:80 125.167.233.138:38001 SYN_RECV –
tcp 0 0 66.7.221.78:80 125.167.233.138:40720 SYN_RECV –
tcp 0 0 66.7.221.78:80 125.167.233.138:54342 SYN_RECV –
tcp 0 0 66.7.221.78:80 128.10.19.52:49852 SYN_RECV –
tcp 0 0 66.7.221.78:80 128.187.223.212:44272 SYN_RECV –
tcp 0 0 66.7.221.78:80 128.220.231.2:37871 SYN_RECV –
tcp 0 0 66.7.221.78:80 129.110.125.52:40194 SYN_RECV –
tcp 0 0 66.7.221.78:80 129.130.252.141:48734 SYN_RECV –
tcp 0 0 66.7.221.78:80 129.82.12.188:55490 SYN_RECV –
tcp 0 0 66.7.221.78:80 131.179.150.72:49705 SYN_RECV –
tcp 0 0 66.7.221.78:80 137.165.1.115:43573 SYN_RECV –
tcp 0 0 66.7.221.78:80 141.219.252.133:44643 SYN_RECV –
tcp 0 0 66.7.221.78:80 149.135.70.236:29968 SYN_RECV –
tcp 0 0 66.7.221.78:80 149.135.70.236:38562 SYN_RECV –
tcp 0 0 66.7.221.78:80 164.107.127.13:51938 SYN_RECV –
tcp 0 0 66.7.221.78:80 169.229.50.12:47415 SYN_RECV –
tcp 0 0 66.7.221.78:80 169.229.50.15:51748 SYN_RECV –
tcp 0 0 66.7.221.78:80 169.229.50.15:51782 SYN_RECV –
tcp 0 0 66.7.221.78:80 169.229.50.18:44910 SYN_RECV –
tcp 0 0 66.7.221.78:80 170.140.119.70:33785 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.14.76.218:64671 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.17.218.10:21347 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.212.238.60:41009 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.218.74.187:50490 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:38248 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:38546 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:38556 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:46806 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:46809 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.236.86.178:47387 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.242.125.196:37477 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.68.57.13:60290 SYN_RECV –
tcp 0 0 66.7.221.78:80 173.86.120.225:60333 SYN_RECV –

And goes on… …

The total number of attacked ips are 576 today, this was 1024 on yesterday.

#root@host [~]# netstat -n -p|grep SYN_REC | wc -l
576

I’ve used CSF (ConfigServer Firewall) but is not protecting. I’ve set parameters below
+ High Security Level:

Code:
SYNFLOOD = 1
SYNFLOOD_RATE = 1/s
SYNFLOOD_BURST = 3

When it is running, I am not able to login to the server, all services are down, and so I stopped it. Also inetbase ddos script is not working…

This solution worked until today because attacker increased spoofed ips.

Also I am using iptables for filter incomming TCP-SYN requests. My iptables are below:

Code:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp –syn -j syn_flood
iptables -A syn_flood -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

I’ve limited incomming TCP requests on port 80 by iptables:

Code:
iptables -I INPUT -p tcp -m state –state NEW –dport 80 -m recent –name http_flood –set
iptables -I INPUT -p tcp -m state –state NEW –dport 80 -m recent –name http_flood –update –seconds
10 –hitcount 3 -j DROP
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

It should be useful to prevent flood SYN_RECV attack on Linux server, You can try this at your own risk

Thank You

http://linuxthink.blogspot.com.br/2011/03/prevent-syn-floods-synrecv-attack-on.html

Deixe um comentário