Dos attack
This is a discussion on Dos attack within the Linux Security forums, part of the System Security and Security Related category; How do I stop a Dos Syn Attack. My isp has already stopped Upd connections from hitting my servers, but ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-23-2004
|
|||
|
|||
Dos attack
How do I stop a Dos Syn Attack. My isp has already stopped Upd connections
from hitting my servers, but I still have 225,000 connections to my 5 servers from a Syn attack. My load balancer is doing well keeping up and I read something about tcp_syncookies will that help if I enable it? I am behind a firewall, but its still causing my site to slow. Help!!! Jim 
|
|
08-24-2004
|
|||
|
|||
|
Re: Dos attack
Jim G. wrote:
> How do I stop a Dos Syn Attack. My isp has already stopped Upd connections > from hitting my servers, but I still have 225,000 connections to my 5 > servers from a Syn attack. My load balancer is doing well keeping up and I > read something about tcp_syncookies will that help if I enable it? I am > behind a firewall, but its still causing my site to slow. > > Help!!! > > Jim Syn cookies. Google for it. Read up on it. -- Your lucky number is 3552664958674928. Watch for it everywhere.
|
|
08-24-2004
|
|||
|
|||
|
Re: Dos attack
Jim G. wrote:
> How do I stop a Dos Syn Attack. My isp has already stopped Upd connections > from hitting my servers, but I still have 225,000 connections to my 5 > servers from a Syn attack. My load balancer is doing well keeping up and I > read something about tcp_syncookies will that help if I enable it? I am > behind a firewall, but its still causing my site to slow. > > Help!!! > > Jim Oh, I forgot. If you want, you can use iptables to filter what's incoming, therefore that could help. If this machine is a home desktop, I recommend not allowing incoming SYN except when necessary anyways, but then again, read up on IPTables as well. -- Yesterday I was a dog. Today I'm a dog. Tomorrow I'll probably still be a dog. Sigh! There's so little hope for advancement. -- Snoopy
|
|
08-25-2004
|
|||
|
|||
|
Re: Dos attack
NeoSadist wrote:
> Jim G. wrote: > > >>How do I stop a Dos Syn Attack. My isp has already stopped Upd connections >>from hitting my servers, but I still have 225,000 connections to my 5 >>servers from a Syn attack. My load balancer is doing well keeping up and I >>read something about tcp_syncookies will that help if I enable it? I am >>behind a firewall, but its still causing my site to slow. >> >>Help!!! >> >>Jim > > > Oh, I forgot. If you want, you can use iptables to filter what's incoming, > therefore that could help. If this machine is a home desktop, I recommend > not allowing incoming SYN except when necessary anyways, but then again, > read up on IPTables as well. > This solution it's good if you don't have to accept incoming connections, but if you have to then it's a bit harder. You could just let it the SYNs that has destination address to your network, because I have found most of the SYN packets are spoofed. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
|
|
08-26-2004
|
|||
|
|||
|
Re: Dos attack
On Wed, 25 Aug 2004 04:23:22 +0200, Jose Maria Lopez Hernandez wrote:
> This solution it's good if you don't have to accept incoming > connections, but if you have to then it's a bit harder. Why is that? You could set default policy to INPUT chain to DROP, and than match needed ports by setting up rules in the chain. That is the usual practice. :) -- Sandro Mangovski ICQ: 92602206 | IRC: <Fish/#linux>@irc.idolnet.org
|
|
08-26-2004
|
|||
|
|||
|
Re: Dos attack
On Wed, 25 Aug 2004 04:23:22 +0200, Jose Maria Lopez Hernandez wrote:
> This solution it's good if you don't have to accept incoming > connections, but if you have to then it's a bit harder. Why is that? You could set default policy to INPUT chain to DROP, and then match needed ports by setting up rules in the chain. That is the usual practice. :) Except dport matching you need to let ESTABLISHED and RELATED connections in and that is it. Regards, -- Sandro Mangovski ICQ: 92602206 | IRC: <Fish/#linux>@irc.idolnet.org
|
|
08-26-2004
|
|||
|
|||
|
Re: Dos attack
Sandro Mangovski wrote:
> On Wed, 25 Aug 2004 04:23:22 +0200, Jose Maria Lopez Hernandez wrote: > > >>This solution it's good if you don't have to accept incoming >>connections, but if you have to then it's a bit harder. > > > Why is that? You could set default policy to INPUT chain to DROP, and then > match needed ports by setting up rules in the chain. That is the usual > practice. :) Except dport matching you need to let ESTABLISHED and RELATED > connections in and that is it. Regards, > I was talking about rejecting attacks like the SYN portscans from nmap, where it's very difficult to check if it's a real connection or a portscan. I know it's not a real danger, because you would need a huge amount of SYNs to make a DOS (maybe a DDOS). -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 04:47 AM.
