Try taking a look at SYN-Cookies in the Linux kernel. This code was
written explicitly for this type of situation.
You can not stop SYN packets as they are the very first packet in the
three way handshake to start a TCP connection. About all you can do
(other than SYN-Cookies) is to rate limit the number of packets per
source IP.
Grant. . . .
James Harrison wrote:
Hi,
I've been trying to calm down some DDoS attacks on my server, but i've
been stymied on how to block them- however, as APF's AntiDOS plugin
captured and reported to root, the really vigorous ones (The ones it
catches) have no ACK in their headers. SYN, but no ACK. I've read that
this is a common technique used by DDoSers, but i'm unsure if anything
else depends on it.
The plan i'm looking at is possibly blocking all packets with SYN
alone, no ACK.. would this be possible with iptables, and how would
this affect other web services?
Here's one of the captured packet messages (MAC/IPs are removed
obviously)
Aug 4 21:02:30 ukdsl21 kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=**
SRC=** DST=** LEN=48 TOS=0x04 PREC=0x00 TTL=116 ID=53191 DF PROTO=TCP
SPT=4122 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Any ideas?
Sorry if this sounds completely barmy- if it does, do tell :-)
Thanks in advance,
James Harrison
