Tuesday, March 22, 2011

Prevent syn floods [SYN_RECV] attack on Linux (cPanel) Server


One of my Linux Server (Cent OS, cPanel) is under syn floods Attacks come from different spoofed ip addresses and ports as below logs.  


root@yes [~]# netstat -n -p | grep SYN_REC | sort -u
tcp        0      0 66.7.221.78:80              109.230.222.43:19324        SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51875       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51877       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51881       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.67.0.116:1864           SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2130         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2588         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2986         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:3162         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:3296         SYN_RECV    -
tcp        0      0 66.7.221.78:80              117.200.155.197:3742        SYN_RECV    -
tcp        0      0 66.7.221.78:80              117.200.155.197:4116        SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:44640         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:44663         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:60025         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.96.143.54:49278         SYN_RECV    -
tcp        0      0 66.7.221.78:80              119.148.10.218:49468        SYN_RECV    -
tcp        0      0 66.7.221.78:80              122.164.96.85:2034          SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:38001       SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:40720       SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:54342       SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.10.19.52:49852          SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.187.223.212:44272       SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.220.231.2:37871         SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.110.125.52:40194        SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.130.252.141:48734       SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.82.12.188:55490         SYN_RECV    -
tcp        0      0 66.7.221.78:80              131.179.150.72:49705        SYN_RECV    -
tcp        0      0 66.7.221.78:80              137.165.1.115:43573         SYN_RECV    -
tcp        0      0 66.7.221.78:80              141.219.252.133:44643       SYN_RECV    -
tcp        0      0 66.7.221.78:80              149.135.70.236:29968        SYN_RECV    -
tcp        0      0 66.7.221.78:80              149.135.70.236:38562        SYN_RECV    -
tcp        0      0 66.7.221.78:80              164.107.127.13:51938        SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.12:47415         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.15:51748         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.15:51782         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.18:44910         SYN_RECV    -
tcp        0      0 66.7.221.78:80              170.140.119.70:33785        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.14.76.218:64671         SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.17.218.10:21347         SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.212.238.60:41009        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.218.74.187:50490        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38248        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38546        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38556        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:46806        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:46809        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:47387        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.242.125.196:37477       SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.68.57.13:60290          SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.86.120.225:60333        SYN_RECV    -

And goes on... ...

The total number of attacked ips are 576 today, this was 1024 on yesterday.

#root@host [~]# netstat -n -p|grep SYN_REC | wc -l
576

I've used CSF (ConfigServer Firewall) but is not protecting. I've set parameters below
+ High Security Level:

Code:
SYNFLOOD  = 1
SYNFLOOD_RATE  = 1/s
SYNFLOOD_BURST  = 3

When it is running, I am not able to login to the server, all services are down, and so I stopped it. Also inetbase ddos script is not working...

This solution worked until today because attacker increased spoofed ips.

Also I am using iptables for filter incomming TCP-SYN requests. My iptables are below:

Code:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP 
iptables -A OUTPUT -p icmp -j ACCEPT
 

I've limited incomming TCP requests on port 80 by iptables:

Code:
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --set
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --update --seconds
10 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

It should be useful to prevent flood SYN_RECV attack on Linux server, You can try this at your own risk

Thank You



2 comments: