SYN-flood attack is commonly utilized as a mean to disrupt network communication and it is a form of (Distributed Denial-of-Service) DDOS attack. RFC4987 details common mitigation to deal with SYN-flood attack.

However in this post, I’m going to share you the method that I use to reduce the risk of SYN-flood attack from my department computers, with iptables

/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 100 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN-flood attempt: "
/sbin/iptables -A syn-flood -j DROP

RFC4987 suggests the use of SYN-cookie for added protection. You can enable SYN-cookie protection in Linux by running this command (as root):

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

hope that helps…

Note: I’m not a full-time sysadmin as I’ve a different dayjob, but I was put incharged in securing part of my school’s computer network, so there.

Tags: ddos, dos, firewall, ip, iptables, rfc4987, security, syn, syn-cookie, syn-flood

Keep updated with the latest posts, be a part of over 1,000 subscribers! : Subscribe to your email