The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My server is under SYN and/or botnet, how can I prevent this attack?

Discussion in 'General Discussion' started by PHP Warner, Feb 14, 2010.

  1. PHP Warner

    PHP Warner Member

    Joined:
    Aug 6, 2006
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hello friends,

    One of my dedicated (Intel E8400 + 8 GB RAM, CentOS 5 and cPanel) is under syn floods which is started 2 days ago. Attacks come from different spoofed ip addresses and ports as below logs.

    Code:
    [root@host ~]# netstat -nap | grep SYN
    tcp 0 0 66.90.74.9x:80 78.173.134.206:3976 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.163.252.227:4509 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.229.21.247:40454 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.229.21.247:38860 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.160.209.142:7495 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 85.110.248.153:1801 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.230.205.11:3136 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.170.231.195:4774 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.167.63.205:3810 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.180.147.111:2515 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.170.231.195:1567 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.162.151.64:3483 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 95.15.119.150:3654 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.175.26.95:3698 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 85.104.240.151:3550 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.253.178.14:3839 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.189.116.97:3430 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.167.205.51:1712 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.189.116.97:3090 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 85.103.231.48:1787 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.245.200.161:2139 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.189.116.97:3419 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 94.122.128.227:7552 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.166.149.212:1846 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.230.180.131:1318 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.167.120.175:3638 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 94.122.128.227:10561 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 85.99.48.210:4189 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.230.165.14:38697 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 85.110.248.153:3428 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 78.170.231.195:1042 SYN_RECV -
    tcp 0 0 66.90.74.9x:80 88.254.227.129:1278 SYN_RECV -
    
    And goes on... ...

    The total number of attacked ips are 2048 today, this was 1024 on yesterday.

    Code:
    [root@host ~]# netstat -nap | grep SYN | wc -l
    2048
    
    I've used CSF (ConfigServer Firewall) but is not protecting. I've set parameters below + High Security Level:

    Code:
    SYNFLOOD  = 1
    SYNFLOOD_RATE  = 1/s
    SYNFLOOD_BURST  = 3
    When it is running, I am not able to login to the server, all services are down, so I stopped it. Also inetbase ddos script is not working...

    I've changed apache port to different one and installed Nginx as web server running on port 80. I am using Nginx for filter content and forward it to apache (mod_evasive installed), like proxy. This solution worked until today because attacker increased spoofed ips.

    Also I am using iptables for filter incomming TCP-SYN requests. My iptables are below:

    Code:
    # Limit the number of incoming tcp connections
    # Interface 0 incoming syn-flood protection
    iptables -N syn_flood
    iptables -A INPUT -p tcp --syn -j syn_flood
    iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
    iptables -A syn_flood -j DROP
    #Limiting the incoming icmp ping request:
    iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
     
    iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
    iptables -A INPUT -p icmp -j DROP
     
    iptables -A OUTPUT -p icmp -j ACCEPT
    
    I've limited incomming TCP requests on port 80 by iptables:

    Code:
    iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --set
    iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --update --seconds 10 --hitcount 3 -j DROP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    By the way, attacked ips going down approximately 250 but sites are very slow and generally are not working. I've requested null-route for my attacked ips from DC...

    So could someone please help me for prevent this attack or any advise or something else. Is FreeBSD OS more powerful than Centos for protection? DC told me, nothing different but I guess it is sensative for SYN floods...

    I've read all articles about this but nothing help me at this status. I would be very please if someone help my problem or provide me iptables config, any firewall apps or what ever that stop it.

    Many thanks now for your answers.
     
  2. jdarow

    jdarow Well-Known Member
    PartnerNOC

    Joined:
    May 30, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Michigan, US
    cPanel Access Level:
    DataCenter Provider
    Make sure CentOS is up to date. That you're running the latest kernel and other packages.

    yum update

    ! Must reboot (shutdown now -r) if new kernel is installed.

    SYN:

    sysctl -w net.ipv4.tcp_max_syn_backlog=2048
    sysctl -w net.ipv4.tcp_syncookies=1
    sysctl -w tcp_synack_retries=2

    Spoofing:

    sysctl -w net.ipv4.conf.all.rp_filter=1
    sysctl -w net.ipv4.conf.default.rp_filter=1
    sysctl -w net.ipv4.conf.eth0.rp_filter=1
    sysctl -w net.ipv4.conf.lo.rp_filter=1
     
  3. PHP Warner

    PHP Warner Member

    Joined:
    Aug 6, 2006
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    # yum update
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * addons: mirror.nexcess.net
    * base: ftp.osuosl.org
    * extras: pubmirrors.reflected.net
    * updates: onTime 1405 - VoIP Appointment Reminder Calls for your office
    Excluding Packages in global exclude list
    Finished
    Setting up Update Process
    No Packages marked for Update

    I guess kernel is up-to-date.

    Could you please suggest me iptables rules for prevent syn, I will be very pleased jdarow

    Thanks.
     
  4. aqjedd

    aqjedd Member

    Joined:
    Oct 6, 2009
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    can i ask where to add/edit thise setting ?


    thanks
     
  5. WebGraf

    WebGraf Member

    Joined:
    Feb 13, 2010
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    use this SSH
     
Loading...

Share This Page