[nylug-talk] Help: Under Attack! (SYN flood)

[Chris Knadle]

On Saturday 03 November 2007, Joachim Stahl wrote:
> > > One of my sites is under a SYN flood attack.
> >
> > Have a look at /etc/sysctl.conf for the "net.ipv4.tcp_syncookies"
> > setting
>
> Yes, this was already set on the machine, even before the attack
> started.

   Huh.  Okay.  Sounds like you've made additional tweaks, hopefully that will 
help.

> > > iptables -A INPUT -i eth0 -s 11.22.33.44 -j DROP
> >
> > I'm not sure that's what you want -- -A APPENDS a rule rather than
> > INSERTS a rule. I think you might want -I, since if an earlier
> > iptables rule accepts the packet, then the appended rule won't
> > actually reject the packet.
>
> You are right, I actually had it as an insert (-I), but I was playing
> around with it and changed it to -A.

   If you've got default deny and are selectively allowing communication 
[which is what is recommended], then appending a rule to the end has a high 
likelyhood of having no effect due to an earlier rule accepting the packet.

> > The rule above doesn't set logging the rejection, so I'm also not sure
> > how you can be sure that this rule is dropping packets.
>
> I run "iptables -nvL", which actually shows that the rule is blocking
> packets, and it is.

   That just lists the rules for you to examine -- it doesn't /prove/ whether 
the rule is actually blocking packets or not; which is why you're 
double-checking with tcpdump.  ;-)
   But have a quick look at the output of "iptables -nvL" again anyway, and 
make sure you don't have an earlier rule that accepts packets for port 80.

> I'm just confused as to why tcpdump still shows it. 

   You need to run tcpdump with the -p option, otherwise it will put the 
ethernet device into permiscuous mode and thus you'll see everything rather 
than only what makes it through iptables.

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us