sync flood and resource utilization .

sync flood and resource utilization .

[ratheesh k]

iptables -A INPUT -j  DROP .
iptables -A OUTPUT -j ACCEPT

When i syn flooded my desktop . I can see all pkts are getting
rejected by the rule . But system becomes slow beacuse of this . Is
there any way to make system fast ? will black listing will help ?


Thanks,
Ratheesh

Re: sync flood and resource utilization .

[lists]

On Sat, 2010-02-27 at 11:05 +0530, ratheesh k wrote: 
> iptables -A INPUT -j  DROP .
> iptables -A OUTPUT -j ACCEPT
> 
> When i syn flooded my desktop . I can see all pkts are getting
> rejected by the rule . But system becomes slow beacuse of this . Is
> there any way to make system fast ? will black listing will help ?

IIRC syn_cookies were meant to deal with that.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

http://www.securityfocus.com/infocus/1729
http://www.unixresources.net/linux/lf/57/archive/00/00/09/85/98546.html


--
Rob

Re: sync flood and resource utilization .

[ratheesh k]

since i am dropping all sync packets , there wont be any connection
ins SYNC ACCEPT state ( netstat ) .



On Sat, Feb 27, 2010 at 12:39 PM,  <lists@sterenborg.info> wrote:
> On Sat, 2010-02-27 at 11:05 +0530, ratheesh k wrote:
>> iptables -A INPUT -j  DROP .
>> iptables -A OUTPUT -j ACCEPT
>>
>> When i syn flooded my desktop . I can see all pkts are getting
>> rejected by the rule . But system becomes slow beacuse of this . Is
>> there any way to make system fast ? will black listing will help ?
>
> IIRC syn_cookies were meant to deal with that.
>
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> http://www.securityfocus.com/infocus/1729
> http://www.unixresources.net/linux/lf/57/archive/00/00/09/85/98546.html
>
>
> --
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: sync flood and resource utilization .

[Mart Frauenlob]

On 27.02.2010 06:36, netfilter-owner@vger.kernel.org wrote:
> iptables -A INPUT -j  DROP .
> iptables -A OUTPUT -j ACCEPT
> 
> When i syn flooded my desktop . I can see all pkts are getting
> rejected by the rule . But system becomes slow beacuse of this . Is
> there any way to make system fast ? will black listing will help ?
> 

g00gle is your friend:

search: syn flood protection iptables
or:
syn flood protection iptables hashlimit recent blacklist


you can do some with a simple 'limit'.

or more complex with 'hashlimit' and 'recent'.

Best regards

Mart

Re: sync flood and resource utilization .

[J. Bakshi]

On Sun, 28 Feb 2010 10:19:03 +0100
Mart Frauenlob <mart.frauenlob@chello.at> wrote:

> On 27.02.2010 06:36, netfilter-owner@vger.kernel.org wrote:
> > iptables -A INPUT -j  DROP .
> > iptables -A OUTPUT -j ACCEPT
> > 
> > When i syn flooded my desktop . I can see all pkts are getting
> > rejected by the rule . But system becomes slow beacuse of this . Is
> > there any way to make system fast ? will black listing will help ?
> > 
> 

I use the following

[..........]

# Check hashlimit-htable-expire after 5 min ( 300000 mili second )

iptables -N syn-flood

iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn  -m hashlimit \
--hashlimit 200/sec --hashlimit-burst 3 --hashlimit-htable-expire
300000 \ --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN

# Drop bad IP and put then in blacklist
iptables -A syn-flood -m recent --name blacklist --set -j DROP
iptables -A INPUT -j syn-flood

[.....]

This rule should come after all your incoming rules. This rule is also effective against apache benchmark attack and ping flood also.

regards