# DDoS protection

## cerebrum

Hi all... I have a problem:

somebody send to my server HUGE traffic with just connect request to 80 port... Apache not load CPU so high...

But i can't connect to Apache via browser...

What can i do???  :Crying or Very sad: 

----------

## Prompty

block all traffic on port 80 for the time being .... 

or block IP/IPs of those DDoSing you ...

can you get to to the server in any other way ? ssh ? telnet ? rootkit ^_^ ?

how do you know it's a dos ?

----------

## profy

Use iptable to limit the number of access with the module limit, you can choose de frequencie of SYN TCP packet like 5 by second. But other user will be limited too, i remember a feature kernel which protect again dos attack look at it too.

----------

## kashani

You might try enabling syncookies as well. With syncookies enabled the OS will wait till the three way TCP handshake is finished before handing the connection over to the daemon. Most SYN attacks just do the first part of the handshake trying to get the most bang for their buck so this has a high chance of stopping the attacks without affecting normal users.

IIRC it's a kernel config in the Networking menu.

kashani

----------

## CRC

 *kashani wrote:*   

> You might try enabling syncookies as well. With syncookies enabled the OS will wait till the three way TCP handshake is finished before handing the connection over to the daemon. Most SYN attacks just do the first part of the handshake trying to get the most bang for their buck so this has a high chance of stopping the attacks without affecting normal users.
> 
> IIRC it's a kernel config in the Networking menu.
> 
> kashani

 

Actually, its not just a bang for the buck.  Its a resource depletion issue.  There is a finite number of half-open connections allowed, and the TCP standard allows for very long timeouts waiting for the SYN-ACK.  Since you can send fake SYN packets with any address and port combination you want, you can cause a huge number of fake connections that take so long to timeout that you can overflow the connection table and make the server stop responding to connections, even from a dial-up modem in some cases.

SYN-cookies changes the way this works so there is no connection table needed.   You'll have to turn it on in the kernel, and turn it on every time you boot with a sysctl or with 

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Additionally, syn-cookies are only used when the server's syn table is completely full as you lose your tcp options and some other issues when syn cookies come into play ... however, you can still make connections and survive the syn flood!

-- Evan

----------

