[GLLUG] Infected - Help/advice?

Caleb Cushing xenoterracide at gmail.com
Mon Mar 12 21:13:39 EDT 2007 

> I think you're getting SYN flooded, hehe.

if this is true enable syn cookies in the kernel.

all you should have to do is  in /etc/sysctl.conf (I think this is the
same on all distro's)

net.ipv4.tcp_syncookies = 1

if you roled your own kernel make sure that you compiled with
CONFIG_SYN_COOKIES=y (can be a module too)

also some good iptables rules (careful this may limit legit traffic)

"A SYN flood attack is performed by sending the SYN packet but failing
to respond to the SYN+ACK packet. The client-side can forge a packet
with a fake source IP address because it does not need a reply. The
server-side system will add an entry to a queue of half-open
connections when it receives the SYN packet and then wait for the
final ACK packet before deleting the entry from the queue. The queue
has a limited number of slots and if all the slots are filled it is
unable to open any further connections. If the ACK packet is not
received before a specified timeout period the entry will
automatically be deleted from the queue. The timeout settings vary but
will typically be 30-60 seconds or even more. The client-side
initiates the attack by forging a lot of SYN packets with different
source IP addresses and sends them to the target IP address as fast as
possible and thereby filling up the queue of half-open connections and
thus preventing other clients from establishing a legitimate
connection with the server.

This is where the rate limit becomes handy. It is possible to limit
the rate of accepted SYN packets by using the -m limit --limit 1/s.
This will limit the number of SYN packets accepted to one per second
and therefore restricting the SYN flood on our resources. " --Gentoo
Security Handbook

this handbook has some great firewall rules too but they don't
optimize there chains and the script will work with gentoo only out of
the box because it uses einfo (note: all iptables rules mentioned will
work with almost any linux install. they may not work with embedded
systems like my router, because they require statefull rules)

More information about the linux-user mailing list