[nylug-talk] Help: Under Attack! (SYN flood)
Peter C. Norton
spacey-nylug at lenin.net
Mon Nov 5 10:24:49 EST 2007
On Sun, Nov 04, 2007 at 01:19:02AM -0400, Chris Knadle wrote:
> On Saturday 03 November 2007, Joachim Stahl wrote:
> > > > One of my sites is under a SYN flood attack.
> > >
> > > Have a look at /etc/sysctl.conf for the "net.ipv4.tcp_syncookies"
> > > setting
> >
> > Yes, this was already set on the machine, even before the attack
> > started.
>
> Huh. Okay. Sounds like you've made additional tweaks, hopefully that will
> help.
>
> > > > iptables -A INPUT -i eth0 -s 11.22.33.44 -j DROP
> > >
> > > I'm not sure that's what you want -- -A APPENDS a rule rather than
> > > INSERTS a rule. I think you might want -I, since if an earlier
> > > iptables rule accepts the packet, then the appended rule won't
> > > actually reject the packet.
> >
> > You are right, I actually had it as an insert (-I), but I was playing
> > around with it and changed it to -A.
>
> If you've got default deny and are selectively allowing communication
> [which is what is recommended], then appending a rule to the end has a high
> likelyhood of having no effect due to an earlier rule accepting the packet.
>
> > > The rule above doesn't set logging the rejection, so I'm also not sure
> > > how you can be sure that this rule is dropping packets.
> >
> > I run "iptables -nvL", which actually shows that the rule is blocking
> > packets, and it is.
>
> That just lists the rules for you to examine -- it doesn't /prove/ whether
> the rule is actually blocking packets or not; which is why you're
> double-checking with tcpdump. ;-)
> But have a quick look at the output of "iptables -nvL" again anyway, and
> make sure you don't have an earlier rule that accepts packets for port 80.
>
> > I'm just confused as to why tcpdump still shows it.
>
> You need to run tcpdump with the -p option, otherwise it will put the
> ethernet device into permiscuous mode and thus you'll see everything rather
> than only what makes it through iptables.
I doubt that'll change what tcpdump shows. I'd be interested if it
did. Either way, tcpdump should show this syn traffic, which is *to
the host*. In that case, you need to rely on the kernel telling you
whether or not it cares about these syns.
To clarify this, tcpdump is trying to show you what the bits on the
wire are, and not what your kernel has filtered out vs. what passes
through.
-Peter
--
The 5 year plan:
In five years we'll make up another plan.
Or just re-use this one.
More information about the nylug-talk
mailing list