HELP Under Attack

How do I stop a Dos Syn Attack. My isp has already stopped Upd connections
from hitting my servers, but I still have 225,000 connections to my 5
servers from a Syn attack.

Help!!!

Jim

> How do I stop a Dos Syn Attack. My isp has already stopped Upd
> connections from hitting my servers, but I still have 225,000
> connections to my 5 servers from a Syn attack.

Newer inux kernels have a feature that supposed to be able to reduce the
burden of SYNs flooding the TCP/IP stack. Try:

$ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
$ cat /proc/sys/net/ipv4/tcp_syncookies

Should show 1 for enabled.

--
Jem Berkes
http://www.sysdesign.ca/

On 2004-08-23, Jim G. <jgrago@NO_SPAM-twcny.rr.com> wrote:
> How do I stop a Dos Syn Attack. My isp has already stopped Upd connections
> from hitting my servers, but I still have 225,000 connections to my 5
> servers from a Syn attack.
>
hmmm the signs of preparation.... :) As if I could talk anyway.

The thing is to 'acquire' a DoS attack you must have annoyed someone or been
a high profile company....only curious why they would target you.

As for fixes, first of all drop all traffic from countries you expect no
traffic from (or rather probably better only permit the ones you do business
with through)[1].

As for SYN-Cookies, make sure you have stacks of memory available and a
couple of CPU cycles to spare...

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

and thats it....30 seconds of Google searching would have told you this.

Other things you should try is using Ethereal[1] and see if the script kiddy
has made the common mistake of having something 'static' in the DoS attack
(usually the source port or sequence number). With this you can filter
upstream by the ISP or yourself.

Have fun and let me know how you get along ;)

Cheers

Alex

[1] http://ip.ludost.net/
[2] http://www.ethereal.com/

Hello, yes we are a well known company and we currently have 5 servers with
a load balancer. The balancer did a good job keeping up with the attack.
From what I have read tcp_syncookies takes the load off of apache and
transfers it to the kernel. I cannot drop traffic to any country because we
deal with all countries around the world.

I will let you know how this works.

Thanks!


"Alexander Clouter" <alex@digriz.junk-this.org.uk> wrote in message
news:412a7780$1_2@127.0.0.1...
> On 2004-08-23, Jim G. <jgrago@NO_SPAM-twcny.rr.com> wrote:
>> How do I stop a Dos Syn Attack. My isp has already stopped Upd
>> connections
>> from hitting my servers, but I still have 225,000 connections to my 5
>> servers from a Syn attack.
>>
> hmmm the signs of preparation.... :) As if I could talk anyway.
>
> The thing is to 'acquire' a DoS attack you must have annoyed someone or
> been
> a high profile company....only curious why they would target you.
>
> As for fixes, first of all drop all traffic from countries you expect no
> traffic from (or rather probably better only permit the ones you do
> business
> with through)[1].
>
> As for SYN-Cookies, make sure you have stacks of memory available and a
> couple of CPU cycles to spare...
>
> # echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> and thats it....30 seconds of Google searching would have told you this.
>
> Other things you should try is using Ethereal[1] and see if the script
> kiddy
> has made the common mistake of having something 'static' in the DoS attack
> (usually the source port or sequence number). With this you can filter
> upstream by the ISP or yourself.
>
> Have fun and let me know how you get along ;)
>
> Cheers
>
> Alex
>
> [1] http://ip.ludost.net/
> [2] http://www.ethereal.com/

> Hello, yes we are a well known company and we currently have 5 servers
> with a load balancer. The balancer did a good job keeping up with the
> attack. From what I have read tcp_syncookies takes the load off of
> apache and transfers it to the kernel. I cannot drop traffic to any
> country because we deal with all countries around the world.

If the attacking IP addresses are genuine, then I would strongly recommend
importing the big list of known compromised/zombie IP addresses from
ahbl.org, cbl.abuseat.org and using these IPs in your firewall rule to
block packets.

But if the IP addresses are forged, syn cookies is your best bet. Of course
you can't do anything about the bandwidth wasted by the attack, but it
should keep the connection table in your TCP/IP stack clean.

--
Jem Berkes
http://www.sysdesign.ca/

Thanks!

The ip's are spoofed. I had contacted Comcast on one of the ip's that came
back to Plattsburgh Ny, they contacted the user and they said the user had
no clue that their Pc was being used in an attack. I have enabled the
tcp_syncookies.

Thanks again
Jim



"Jem Berkes" <jb@users.pc9.org> wrote in message
news:Xns954F621657246jbuserspc9org@130.179.16.24.. .
>> Hello, yes we are a well known company and we currently have 5 servers
>> with a load balancer. The balancer did a good job keeping up with the
>> attack. From what I have read tcp_syncookies takes the load off of
>> apache and transfers it to the kernel. I cannot drop traffic to any
>> country because we deal with all countries around the world.
>
> If the attacking IP addresses are genuine, then I would strongly recommend
> importing the big list of known compromised/zombie IP addresses from
> ahbl.org, cbl.abuseat.org and using these IPs in your firewall rule to
> block packets.
>
> But if the IP addresses are forged, syn cookies is your best bet. Of
> course
> you can't do anything about the bandwidth wasted by the attack, but it
> should keep the connection table in your TCP/IP stack clean.
>
> --
> Jem Berkes
> http://www.sysdesign.ca/