Re: SynFloods and CPU usage with and without iptables. Confused!

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alex Flex <aflexzor@gmail.com>
To: Payam Chychi <pchychi@gmail.com>, netfilter@vger.kernel.org
Subject: Re: SynFloods and CPU usage with and without iptables. Confused!
Date: Sat, 04 May 2013 12:45:57 -0600	[thread overview]
Message-ID: <51855765.9020305@gmail.com> (raw)
In-Reply-To: <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>

Payam,

This is the copy of sysctl.conf on the second machine that got DoSed 
with 20mbits if you think it helps..

#DEFAULTS
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

###########################################################################################################

# MODIFIED VERSION -- REPLACES DEFAULTS
# March 12 2012 JP - Based on a Red Hat based distro.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
#net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
#net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 0

#Disable ALL ICMP
net.ipv4.icmp_echo_ignore_all = 0

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 0

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

########## IPv6 networking start ##############
#DISABLE IPV6
net.ipv6.conf.all.disable_ipv6 = 1
########## IPv6 networking ends ##############

#Enable ExecShield protection
#kernel.exec-shield = 1
#kernel.randomize_va_space = 1

# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608

# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit
#fs.file-max = 65535

#Allow for more PIDs
#kernel.pid_max = 65536


Thanks
Alex

next prev parent reply	other threads:[~2013-05-04 18:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-04 17:15 SynFloods and CPU usage with and without iptables. Confused! Alex Flex
     [not found] ` <27F4C2E78FB64527A44CA6E3BC368315@gmail.com>
     [not found]   ` <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>
2013-05-04 18:42     ` Alex Flex
2013-05-04 18:45     ` Alex Flex [this message]
     [not found]       ` <417A64583B334DA0B8977D49C5A09DEE@gmail.com>
2013-05-04 20:41         ` Alex Flex
2013-05-04 21:01 ` Jozsef Kadlecsik
  -- strict thread matches above, loose matches on Subject: below --
2013-05-04 17:24 Alex Flex
2013-05-04 21:39 ` hdemir
2013-05-04 22:07   ` Steve Kann
2013-05-05  1:27     ` Alex Flex
2013-05-05  1:34       ` Steve Kann
2013-05-05  2:01         ` Alex Flex
2013-05-05  1:29   ` Alex Flex
2013-05-06 11:27     ` Husnu Demir

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51855765.9020305@gmail.com \
    --to=aflexzor@gmail.com \
    --cc=netfilter@vger.kernel.org \
    --cc=pchychi@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.