Syn flood/attack countermeasures

Support for security such as Firewalls and securing linux
Post Reply
gariac
Posts: 1
Joined: 2017/12/25 02:49:39

Syn flood/attack countermeasures

Post by gariac » 2018/01/08 03:10:06

uname -a
Linux 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I searched the forum and I haven't exactly found my question answered. From what I read, centos out of the box is set up to reject SYN floods. From my log, it appears to be working. Here are my settings, which I assume are default. (OS set up from a VPS, not me.)

Code: Select all

cat /proc/sys/net/ipv4/tcp_syncookies
1

cat /proc/sys/net/ipv4/tcp_synack_retries
5

cat /proc/sys/net/ipv4/tcp_max_syn_backlog
128
From:
https://www.servernoobs.com/hardening- ... n-floods/
the suggested settings are
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
Is this advisable, or don't fix what isn't broken.

Here are the time stamps from a series of SYNs. I will post the full log at the end of the message.

Code: Select all

Jan  7 13:22:17  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 
Jan  7 13:22:18  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 
Jan  7 13:22:20  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 
Jan  7 13:22:24  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 
Jan  7 13:22:32  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 
Jan  7 13:22:48  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65
The following was grepped out of my messages log with minor editing of identifiable fields. I assume the sequential SYNs are a mitigated flood, but I'm way above my head here. Checking a few of the IP addresses, this is likely to be hacking. (AWS for instance)

Code: Select all

Jan  7 08:33:48  kernel: IN=eth0 OUT= MAC= SRC=212.83.155.66 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=18025 DF PROTO=TCP SPT=161 DPT=80 WINDOW=512 RES=0x00 SYN URGP=0 
Jan  7 09:36:09  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.169 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=17047 DF PROTO=TCP SPT=12414 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 09:36:12  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.169 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=17048 DF PROTO=TCP SPT=12414 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 09:36:18  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.169 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=17049 DF PROTO=TCP SPT=12414 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 10:00:25  kernel: IN=eth0 OUT= MAC= SRC=40.77.167.0 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=108 ID=531 DF PROTO=TCP SPT=9252 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 10:00:28  kernel: IN=eth0 OUT= MAC= SRC=40.77.167.0 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=108 ID=532 DF PROTO=TCP SPT=9252 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 10:00:34  kernel: IN=eth0 OUT= MAC= SRC=40.77.167.0 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=533 DF PROTO=TCP SPT=9252 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 10:34:55  kernel: IN=eth0 OUT= MAC= SRC=139.162.114.154 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=40310 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 13:22:17  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51390 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:22:18  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51391 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:22:20  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51392 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:22:24  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51393 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:22:32  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51394 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:22:48  kernel: IN=eth0 OUT= MAC= SRC=13.56.229.65 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=51395 DF PROTO=TCP SPT=49500 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 
Jan  7 13:32:11  kernel: IN=eth0 OUT= MAC= SRC=141.212.122.57 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=57180 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 13:48:41  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=30439 DF PROTO=TCP SPT=12551 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 13:48:44  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=30440 DF PROTO=TCP SPT=12551 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 13:48:50  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=30449 DF PROTO=TCP SPT=12551 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 14:31:53  kernel: IN=eth0 OUT= MAC= SRC=74.82.47.12 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=54321 PROTO=TCP SPT=36549 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 15:20:59  kernel: IN=eth0 OUT= MAC= SRC=37.203.214.106 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=45009 PROTO=TCP SPT=58521 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0 
Jan  7 16:24:10  kernel: IN=eth0 OUT= MAC= SRC=39.104.68.70 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=68 DF PROTO=TCP SPT=17778 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 16:44:37  kernel: IN=eth0 OUT= MAC= SRC=139.162.125.159 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=49360 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 16:58:29  kernel: IN=eth0 OUT= MAC= SRC=39.104.68.70 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=30473 DF PROTO=TCP SPT=52844 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 16:58:32  kernel: IN=eth0 OUT= MAC= SRC=39.104.68.70 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=31529 DF PROTO=TCP SPT=52844 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 16:58:38  kernel: IN=eth0 OUT= MAC= SRC=39.104.68.70 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=854 DF PROTO=TCP SPT=52844 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 17:38:12  kernel: IN=eth0 OUT= MAC= SRC=169.54.244.78 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=10978 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 19:00:07  kernel: IN=eth0 OUT= MAC= SRC=141.212.122.146 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=37723 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 19:00:07  kernel: IN=eth0 OUT= MAC= SRC=141.212.122.147 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=58638 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 21:16:24  kernel: IN=eth0 OUT= MAC= SRC=164.52.24.140 DST= LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=34175 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 22:14:22  kernel: IN=eth0 OUT= MAC= SRC=163.172.137.177 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=42696 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  7 22:26:05  kernel: IN=eth0 OUT= MAC= SRC=216.244.66.239 DST= LEN=60 TOS=0x08 PREC=0x00 TTL=54 ID=57821 DF PROTO=TCP SPT=39462 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan  7 22:26:06  kernel: IN=eth0 OUT= MAC= SRC=216.244.66.239 DST= LEN=60 TOS=0x08 PREC=0x00 TTL=54 ID=57822 DF PROTO=TCP SPT=39462 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan  7 22:26:08  kernel: IN=eth0 OUT= MAC= SRC=216.244.66.239 DST= LEN=60 TOS=0x08 PREC=0x00 TTL=54 ID=57823 DF PROTO=TCP SPT=39462 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan  7 22:26:12  kernel: IN=eth0 OUT= MAC= SRC=216.244.66.239 DST= LEN=60 TOS=0x08 PREC=0x00 TTL=54 ID=57824 DF PROTO=TCP SPT=39462 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan  7 23:54:21  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.196 DST= LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=2649 DF PROTO=TCP SPT=6633 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 23:54:24  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.196 DST= LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=2650 DF PROTO=TCP SPT=6633 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 23:54:30  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.196 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=2656 DF PROTO=TCP SPT=6633 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  7 23:54:42  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.74 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=32589 DF PROTO=TCP SPT=5850 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 23:54:45  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.74 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=32590 DF PROTO=TCP SPT=5850 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  7 23:54:51  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.74 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=32591 DF PROTO=TCP SPT=5850 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  8 00:03:30  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=31199 DF PROTO=TCP SPT=10003 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  8 00:03:33  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x02 PREC=0x00 TTL=113 ID=31200 DF PROTO=TCP SPT=10003 DPT=443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  8 00:03:39  kernel: IN=eth0 OUT= MAC= SRC=157.55.39.99 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=31201 DF PROTO=TCP SPT=10003 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  8 01:08:27  kernel: IN=eth0 OUT= MAC= SRC=164.52.6.150 DST= LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=53578 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  8 01:08:27  kernel: IN=eth0 OUT= MAC= SRC=164.52.6.150 DST= LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=53579 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
Jan  8 01:12:37  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.45 DST= LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=10832 DF PROTO=TCP SPT=1349 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  8 01:12:40  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.45 DST= LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=10833 DF PROTO=TCP SPT=1349 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Jan  8 01:12:46  kernel: IN=eth0 OUT= MAC= SRC=207.46.13.45 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=10834 DF PROTO=TCP SPT=1349 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan  8 01:42:50  kernel: IN=eth0 OUT= MAC= SRC=87.98.146.134 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=51943 PROTO=TCP SPT=48596 DPT=80 WINDOW=4096 RES=0x00 ACK URGP=0 
Jan  8 01:42:51  kernel: IN=eth0 OUT= MAC= SRC=87.98.146.134 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=8275 PROTO=TCP SPT=48597 DPT=80 WINDOW=2048 RES=0x00 ACK URGP=0 

Post Reply