One of my servers is under constant SYN DDoS attack. I have decided to setup fail2ban but as far as I can understand, that will only take care of the ssh login attacks. How can I stop these SYN DDoS attacks. I can't seem to find any particularly clear advice on stackoverflow or Google. A link would also suffice.
Thanks.
There isn't really a lot of upstream solutions to this problem -- unless you can identify some distinguishing characteristic of the traffic (say, the evil bit is set), your upstreams won't be able to filter out the traffic before it gets to you.
The good news is that, as long as you've enabled SYN cookies, a SYN flood isn't a particularly effective DDoS, and it's only risk is that it will fill your pipe. So, flip the bit if necessary (echo 1 >/proc/sys/net/ipv4/tcp_syncookies) and keep an eye on your bandwidth utilisation.
