Re: SynFloods and CPU usage with and without iptables. Confused!

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Alex Flex <aflexzor@gmail.com>
To: Payam Chychi <pchychi@gmail.com>, netfilter@vger.kernel.org
Subject: Re: SynFloods and CPU usage with and without iptables. Confused!
Date: Sat, 04 May 2013 12:45:57 -0600	[thread overview]
Message-ID: <51855765.9020305@gmail.com> (raw)
In-Reply-To: <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>

Payam,

This is the copy of sysctl.conf on the second machine that got DoSed 
with 20mbits if you think it helps..

#DEFAULTS
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

###########################################################################################################

# MODIFIED VERSION -- REPLACES DEFAULTS
# March 12 2012 JP - Based on a Red Hat based distro.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
#net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
#net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 0

#Disable ALL ICMP
net.ipv4.icmp_echo_ignore_all = 0

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 0

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

########## IPv6 networking start ##############
#DISABLE IPV6
net.ipv6.conf.all.disable_ipv6 = 1
########## IPv6 networking ends ##############

#Enable ExecShield protection
#kernel.exec-shield = 1
#kernel.randomize_va_space = 1

# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608

# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit
#fs.file-max = 65535

#Allow for more PIDs
#kernel.pid_max = 65536


Thanks
Alex

next prev parent reply	other threads:[~2013-05-04 18:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-04 17:15 SynFloods and CPU usage with and without iptables. Confused! Alex Flex
     [not found] ` <27F4C2E78FB64527A44CA6E3BC368315@gmail.com>
     [not found]   ` <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>
2013-05-04 18:42     ` Alex Flex
2013-05-04 18:45     ` Alex Flex [this message]
     [not found]       ` <417A64583B334DA0B8977D49C5A09DEE@gmail.com>
2013-05-04 20:41         ` Alex Flex
2013-05-04 21:01 ` Jozsef Kadlecsik
  -- strict thread matches above, loose matches on Subject: below --
2013-05-04 17:24 Alex Flex
2013-05-04 21:39 ` hdemir
2013-05-04 22:07   ` Steve Kann
2013-05-05  1:27     ` Alex Flex
2013-05-05  1:34       ` Steve Kann
2013-05-05  2:01         ` Alex Flex
2013-05-05  1:29   ` Alex Flex
2013-05-06 11:27     ` Husnu Demir

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51855765.9020305@gmail.com \
    --to=aflexzor@gmail.com \
    --cc=netfilter@vger.kernel.org \
    --cc=pchychi@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox