0

My dedicated server can't handle more than 4Mbits/s of bandwidth. After that, the server don't ping anymore. My provider told me it's because my server isn't well configured.

When I look in the logs (syslog), I see that it's probably a syn flood on the port 8085. So I configure iptable to limit the connexion number per IP

iptables -I INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset

and

iptables -A INPUT -p tcp --dport 8085 -m state --state NEW -m recent --name BLACKLIST --set iptables -A INPUT -p tcp --dport 8085 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP

I activated syn cookie :

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

To be sure, I installed fail2ban. But there isn't a huge trafic on this port...

Any idea ? Thank you

EEAA
  • 110,608
Thomas K
  • 101

2 Answers2

0

Against syn flood, you'd better using an iptables line such as iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

This will put a quota on number of syn per sec. Out of quota syn being then dropped.

Heis Spiter
  • 648
0

First of all I would recommend you to do a package capture, just to figure out what is going on at the network. This will also provide you with some numbers for how many connections the server is getting, and where the connections are coming from. This should help you figure out if you are under attack, and what limits might be fitting to set up in IPTables, if you need to set up any.

Have you experienced greater bandwidth to the server previously? 4 Mbit/s is really low and I am thinking you could be experiencing a driver issue instead, which leads to the problems you are experiencing.

Jeppe Fihl-Pearson
  • 46