I’ve had issues recently with Syn flood attacks against one of my internet facing servers. Ive been looking into ways with sysctl configuration file. Edit this file and consider adding the config below:
sudo nano /etc/sysctl.conf
This is the most effective method of defending from SYN Flood attack. The use of SYN cookies allow a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue has been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, it is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.
net.ipv4.tcp_syncookies = 1
Increasing the SYN backlog queue
An optional defending technique is to increase the SYS backlog queue size. The default size is 1024.
net.ipv4.tcp_max_syn_backlog = 2048
Reducing SYN_ACK retries
Tweaking the kernel parameter tcp_synack_retries causes the kernel to close the SYN_RECV state connections earlier. Default value is 5.
net.ipv4.tcp_synack_retries = 3
Setting SYN_RECV timeout
Lowering the timeout value for SYN_RECV will help in reducing the SYN flood attack. The default value is 60 and we can reduce it to 40 or 45.
Preventing IP spoofing
The following sysctl parameter will help to protect against IP spoofing which is used for SYN flood attacks.
net.ipv4.conf.all.rp_filter = 1
After modifying the sysctl configuration file, you need to execute the following command to load sysctl settings from the file /etc/sysctl.conf
sudo sysctl –p