I have a server (2 x E2620, 32 GB RAM, Debian 6 Linux us-fw 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 GNU/Linux, 10G Intel Ethernet Card). It has an Nginx proxy server inside. Idea is to use it as a frontend against DDoS attacks. Currently, if faced to a 500kpps spoofed SYN flood, it becomes almost unresponsive. I've already tried syncookies and various sysctl parameters. Even if a half-open connection timeout is 1 second, it is enough to fill up any buffers. Any ideas how to harden it against spoofed syn floods? Maybe, some hardcore configs or fw rules?
Asked
Active
Viewed 3,279 times
1 Answers
2
iptables has various matches to limit the number of connections allowed for a host using.
By limiting the number of allowed connections, you can mitigate the impact of the DDoS attack.
- Using
hashlimit:
$ iptables -A INPUT -i eth0 -s any/0 -d IP.AD.DR.ESS/32 -p tcp --syn --sport 1024: --dport 80 -m hashlimit --hashlimit-name http-flood --hashlimit-mode srcip --hashlimit-upto 5/s
This will allow each new hosts to open 5 connections per second.
- Using
connlimit:
$ iptables -A INPUT -i eth0 -s any/0 -d IP.AD.DR.ESS/32 -p tcp --syn --sport 1024: --dport 80 -m connlimit --connlimit-saddr --connlimit-upto 5
This will allow each new hosts to open up to 5 parallel connections.
However keep in mind that as your are looking at the source IP address, this can have a huge impact on people behind a NAT.
You can try and play to find out a correct limit value.
Enabling syncookie is also a good idea.
Spack
- 1,626