Best defense for Syn Flood?
Hi Folks - Hopefully and easy question:
Other than manually blocking individual IPs and/or netblocks, what is the best defense for syn floods?
If you need to accept TCP SYN packets your options are limited. You want to drop and not log them for best performance but detecting that is an issue. You can try running Snort to flag and block the source IPs but if it's a DDOS attack that amy not help much. If you know where, approximately, the traffic you need to allow is coming from you can use pfBlocker to setup geoip aliases for allowed sources and drop everything else.
Other than that you can increase the state table size and decrease the TCP state timeouts to clear SYN states faster.
That is, unfortunately, what I thought. The server is a web server so, I believe that it needs to accept SYN packets. Ugg...
What are the symptoms you see when this happens, does it fill the state table?
Do you really need to allow access to the server from anywhere in the world?
This is a web server supporting our gaming server. Information on the rules, etc. are hosted there. Players are worldwide (including Russia, Ukraine, China, etc.) The state table is not filling up. However, it is a steady stream of SYN_RECV and SYN_ACK.
It seems that most of the connections were coming from Malta and Amazon AWS EC2 (Germany) whilst Turkey has stopped. I ended up blocking Malta and AWS (using pfBlockerNG). There is no reason for AWS EC2 to be accessing the site anyway.
Interestingly, AWS EC2 has over 10,000 blocks in one hour from two IPs...
This has been going on for a few months now and is very likely a SYN-ACK flood, as opposed to a SYN flood.
The source IPs in the SYN packets are forged. Using forged IPs, the attackers can select any set of source (victim) addresses they want. Those victims are flooded with SYN-ACK packets.
Blocking the traffic will only be effective until they choose another victim, which they seem to do regularly.
Sadly, there really isn't much you can do. Search for "Anatomy of a SYN ACK attack". I'd post the link but Akismet is stopping me.