Stopping DDOS TCP SYN and UDP flood attacks


Stopping DDOS TCP SYN and UDP flood attacks



8
down vote
SYN Flood can be mitigated by enabling SYN Cookies. SYN Cookies prevent an attacker from filling up your SYN queues and make your services unreachable to the legitimate user.
On Linux, those are some settings you can use to enable and set up SYN Cookies efficiently:
كود:
echo 1 > /proc/sys/net/ipv4/tcp_syncookiesecho 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlogecho 3 > /proc/sys/net/ipv4/tcp_synack_retries
To make those settings load automatically on startup, add those lines to the file /etc/sysctl.conf:
كود:
net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 3
It is possible to protect a Windows box too, as its described in this article by Microsoft. Windows Vista and above have SYN attack protection enabled by default.
As of UDP flood, unfortunately there isnt much you can do about it. Howover, in a ICMP/Ping flood, you can setup your server to ignore Pings, so an attack will be only half-effective as your server won't consume bandwidth replying the thousands of Pings its receiving.
You can do that by running this configuration:
كود:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
And naturally, add this line to the file /etc/sysctl.conf:
كود:
net.ipv4.icmp_echo_ignore_all = 1
But bewere some watchdog systems require ICMP Echo to be enabled in order to work. Some rent servers will require you to leave ICMP Echo enabled because of that. But you can still use iptablesto disable Ping in only some interfaces.
On Windows this can be done with the command:
كود:
netsh firewall set icmpsetting 8 disable
Windows Firewall must be active.