Do have kernel parameters in place? # Against SYN flood attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 # protect against tcp time-wait assassination hazards # drop RST packets for sockets in the time-wait state net.ipv4.tcp_rfc1337 = 1 ------------------------------------------------------------------------ HI, > We are using nftable as a NAT role, like > > client <====> Nftables (dnat+snat) <====> server > > When attacker creating thousands of tcp syn to Nftables, snat will > use up all the sport, since nftable never do the real tcp connection > with client before forward to server. > > How can I avoid this attack? Any way to check the reality of tcp > syn requests? > > Thanks.
