Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best defense for Syn Flood?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    3
    6
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nfld_republicN
      nfld_republic
      last edited by

      Hi Folks - Hopefully and easy question:
      Other than manually blocking individual IPs and/or netblocks, what is the best defense for syn floods?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        If you need to accept TCP SYN packets your options are limited. You want to drop and not log them for best performance but detecting that is an issue. You can try running Snort to flag and block the source IPs but if it's a DDOS attack that amy not help much. If you know where, approximately, the traffic you need to allow is coming from you can use pfBlocker to setup geoip aliases for allowed sources and drop everything else.
        Other than that you can increase the state table size and decrease the TCP state timeouts to clear SYN states faster.

        Steve

        1 Reply Last reply Reply Quote 0
        • nfld_republicN
          nfld_republic
          last edited by

          That is, unfortunately, what I thought. The server is a web server so, I believe that it needs to accept SYN packets. Ugg...

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            What are the symptoms you see when this happens, does it fill the state table?

            Do you really need to allow access to the server from anywhere in the world?

            Steve

            1 Reply Last reply Reply Quote 0
            • nfld_republicN
              nfld_republic
              last edited by

              This is a web server supporting our gaming server. Information on the rules, etc. are hosted there. Players are worldwide (including Russia, Ukraine, China, etc.) The state table is not filling up. However, it is a steady stream of SYN_RECV and SYN_ACK.

              It seems that most of the connections were coming from Malta and Amazon AWS EC2 (Germany) whilst Turkey has stopped. I ended up blocking Malta and AWS (using pfBlockerNG). There is no reason for AWS EC2 to be accessing the site anyway.

              Interestingly, AWS EC2 has over 10,000 blocks in one hour from two IPs...

              1 Reply Last reply Reply Quote 0
              • B
                biggsy
                last edited by

                This has been going on for a few months now and is very likely a SYN-ACK flood, as opposed to a SYN flood.

                The source IPs in the SYN packets are forged. Using forged IPs, the attackers can select any set of source (victim) addresses they want. Those victims are flooded with SYN-ACK packets.

                Blocking the traffic will only be effective until they choose another victim, which they seem to do regularly.

                Sadly, there really isn't much you can do. Search for "Anatomy of a SYN ACK attack". I'd post the link but Akismet is stopping me.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post