A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
In order to understand a syn flood attacks, we first need to understand the TCP/IP handshake.
Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
- The client requests a connection by sending a SYN (synchronize) message to the server.
- The server acknowledges this request by sending SYN-ACK back to the client.
- The client responds with an ACK, and the connection is established.
Now a days these kind of attacks have become common and affecting small or large scale businesses. This attacks can be careed out by individual person or even a group. The affect with a large group of hackers attacking a server will lead to non accessability and downtime of server.
Defense against syn flood attacks
Basic iptables protection techniques:
By adding these below rules. You can reduce the attacks to minimum level to detect the attackers.
# iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
# iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
With these above rules, you might restrict some of legitmate traffic. We recommend to use these rules when under attack only.
Some SYN attacks are easy to filter because they have the same ‘unusual’ parameters in the TCP header. Most attacking tools (including hping) do not set this parameter by default.
# iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
These above techniques are for low range SYN DDOS Attacks
Hardware DDOS Protection.
We recommend for using of hardwares manufactured by Cisco etc.. Or you can go with Commerical tools and services provided by Cloudflare, Prolexic, Incapsula, Arbor Networks, Fortinet etc.