My server is under SYN and/or botnet, how can I prevent this attack?

PHP Warner

Member
Aug 6, 2006
23
0
151
Hello friends,

One of my dedicated (Intel E8400 + 8 GB RAM, CentOS 5 and cPanel) is under syn floods which is started 2 days ago. Attacks come from different spoofed ip addresses and ports as below logs.

Code:
[[email protected] ~]# netstat -nap | grep SYN
tcp 0 0 66.90.74.9x:80 78.173.134.206:3976 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.163.252.227:4509 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.229.21.247:40454 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.229.21.247:38860 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.160.209.142:7495 SYN_RECV -
tcp 0 0 66.90.74.9x:80 85.110.248.153:1801 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.230.205.11:3136 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.170.231.195:4774 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.167.63.205:3810 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.180.147.111:2515 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.170.231.195:1567 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.162.151.64:3483 SYN_RECV -
tcp 0 0 66.90.74.9x:80 95.15.119.150:3654 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.175.26.95:3698 SYN_RECV -
tcp 0 0 66.90.74.9x:80 85.104.240.151:3550 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.253.178.14:3839 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.189.116.97:3430 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.167.205.51:1712 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.189.116.97:3090 SYN_RECV -
tcp 0 0 66.90.74.9x:80 85.103.231.48:1787 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.245.200.161:2139 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.189.116.97:3419 SYN_RECV -
tcp 0 0 66.90.74.9x:80 94.122.128.227:7552 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.166.149.212:1846 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.230.180.131:1318 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.167.120.175:3638 SYN_RECV -
tcp 0 0 66.90.74.9x:80 94.122.128.227:10561 SYN_RECV -
tcp 0 0 66.90.74.9x:80 85.99.48.210:4189 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.230.165.14:38697 SYN_RECV -
tcp 0 0 66.90.74.9x:80 85.110.248.153:3428 SYN_RECV -
tcp 0 0 66.90.74.9x:80 78.170.231.195:1042 SYN_RECV -
tcp 0 0 66.90.74.9x:80 88.254.227.129:1278 SYN_RECV -
And goes on... ...

The total number of attacked ips are 2048 today, this was 1024 on yesterday.

Code:
[[email protected] ~]# netstat -nap | grep SYN | wc -l
2048
I've used CSF (ConfigServer Firewall) but is not protecting. I've set parameters below + High Security Level:

Code:
SYNFLOOD  = 1
SYNFLOOD_RATE  = 1/s
SYNFLOOD_BURST  = 3
When it is running, I am not able to login to the server, all services are down, so I stopped it. Also inetbase ddos script is not working...

I've changed apache port to different one and installed Nginx as web server running on port 80. I am using Nginx for filter content and forward it to apache (mod_evasive installed), like proxy. This solution worked until today because attacker increased spoofed ips.

Also I am using iptables for filter incomming TCP-SYN requests. My iptables are below:

Code:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
 
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
 
iptables -A OUTPUT -p icmp -j ACCEPT
I've limited incomming TCP requests on port 80 by iptables:

Code:
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --set
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --update --seconds 10 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
By the way, attacked ips going down approximately 250 but sites are very slow and generally are not working. I've requested null-route for my attacked ips from DC...

So could someone please help me for prevent this attack or any advise or something else. Is FreeBSD OS more powerful than Centos for protection? DC told me, nothing different but I guess it is sensative for SYN floods...

I've read all articles about this but nothing help me at this status. I would be very please if someone help my problem or provide me iptables config, any firewall apps or what ever that stop it.

Many thanks now for your answers.
 

jdarow

Well-Known Member
PartnerNOC
May 30, 2003
88
1
156
Michigan, US
cPanel Access Level
DataCenter Provider
Make sure CentOS is up to date. That you're running the latest kernel and other packages.

yum update

! Must reboot (shutdown now -r) if new kernel is installed.

SYN:

sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w tcp_synack_retries=2

Spoofing:

sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.conf.eth0.rp_filter=1
sysctl -w net.ipv4.conf.lo.rp_filter=1
 

PHP Warner

Member
Aug 6, 2006
23
0
151
# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: mirror.nexcess.net
* base: ftp.osuosl.org
* extras: pubmirrors.reflected.net
* updates: onTime 1405 - VoIP Appointment Reminder Calls for your office
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update

I guess kernel is up-to-date.

Could you please suggest me iptables rules for prevent syn, I will be very pleased jdarow

Thanks.
 

aqjedd

Member
Oct 6, 2009
23
0
51
SYN:

sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w tcp_synack_retries=2

Spoofing:

sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.conf.eth0.rp_filter=1
sysctl -w net.ipv4.conf.lo.rp_filter=1
Hello,

can i ask where to add/edit thise setting ?


thanks