Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2348
  • Last Modified:

SYN Flood Attack

HI

I am receiving following messages in /var/log/messages and on the same server is experience the issue of FTP connection.  

How to prevent this syn flood attack effectively:

Error logs:

Aug 29 18:49:18 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 18:54:41 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 18:56:23 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 18:59:09 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:00:17 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:07:57 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:10:45 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:13:08 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:14:36 localhost kernel: possible SYN flooding on port 25. Sending cookies.
Aug 29 19:16:00 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:17:12 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:18:38 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:20:03 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:21:11 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:22:25 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:24:31 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:26:29 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:27:43 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:29:50 localhost last message repeated 2 times
Aug 29 19:31:11 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:33:58 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:35:50 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:37:08 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:38:41 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:39:54 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:40:57 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:43:02 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:44:03 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:45:48 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:47:13 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:48:37 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:49:48 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:50:57 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:53:54 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:55:49 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:57:28 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 19:59:00 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:01:29 localhost last message repeated 2 times
Aug 29 20:03:14 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:05:32 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:06:56 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:08:17 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:09:20 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:10:21 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:11:22 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:12:49 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:14:28 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:15:31 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:16:50 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:18:58 localhost last message repeated 2 times
Aug 29 20:20:00 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:21:02 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:25:42 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 20:32:37 localhost kernel: possible SYN flooding on port 110. Sending cookies.
Aug 29 21:06:30 localhost kernel: possible SYN flooding on port 80. Sending cookies.
Aug 29 22:30:11 localhost kernel: possible SYN flooding on port 25. Sending cookies.
Aug 30 01:21:07 localhost kernel: possible SYN flooding on port 25. Sending cookies.
Aug 30 05:21:04 localhost kernel: possible SYN flooding on port 25. Sending cookies.
Aug 30 05:22:40 localhost kernel: possible SYN flooding on port 25. Sending cookies.
0
ashwanijain
Asked:
ashwanijain
  • 5
  • 4
1 Solution
 
woolnoirCommented:
It looks like your system 'is' preventing the attack

read this article (http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks) paying special attention to the linux specifics section.

There are also a few hints further down for additional things you can do to mitigate the attack.
0
 
ashwanijainAuthor Commented:
Thanks

What made you determine that kernel is already preventing attacks.  Because during the duration of these logs, this system was not able to make FTP connection to another FTP server.  What could I do to have the FTP work fluently even if such attacks continues ?

Do you thnik putting this server behind IPCOP firewall will benefit.

Regards

Ashu
0
 
woolnoirCommented:
The ' Sending cookies ' section is one of the preventative actions the kernel can take

RedHat, like other Linux operating systems, has implemented a SYN cookies mechanism which can be enabled in the following way:
 # echo 1 > /proc/sys/net/ipv4/tcp_syncookies

from what i can see, thats what the log shows when that mechanism is in place.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
ashwanijainAuthor Commented:
Thanks you !

IF these attacks were prevented, than why this server failed to make SFTP/FTP connection with other server during the period of these attacks.  ?  

WIll you suggest putting this server behind Firewall (IPCOP) for better performance ?

Regards

Ashwani Jain
0
 
woolnoirCommented:
Was the other server involved in the attack ? can you see which server the attacks came from - logs, or a FW device ? in general although the linux box protected itself, it may still have impacted the performance, potentially limiting connectivity during the time - it would need to be audited to determine exactly.

As with any internet facing device, putting it behind a 'stateful' FW device will reduce its exposure to an attack, the FW would of filtered the attack before it reached the box, potentially avoiding any connectivity disruption.

If the attacks happen again - try and get something to log ther source, maybe a ethereal packet sniffer or something like that ?
0
 
ashwanijainAuthor Commented:
ok, there is one confusion,

what could be the RESULT if SYN FLOOD attack was not prevented, I believe it would made system unavailable on network.  

In our case, SYN FLOOD attack was prevented but still it could not perform well on network and failed to make TCP connections.

So what did the Kernel achieve by preventing the SYN FLOOD attack ?


0
 
woolnoirCommented:
check this again http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks though the first item is one way to protect the machine, there are other ways of enhancing its ability, hardening it even more.. further down the page.
0
 
ashwanijainAuthor Commented:
The person hepled quickly and pointed to correct document.  How ever if he could tell steps to harden the linux to avoid SYN FLOOD attacks directly in the ticket instead redirecting to the doc that could be more easier to follow.

Still this was the accureate and timley given solution.
0
 
rfc1180Commented:
>How ever if he could tell steps to harden
I disagree! Why reinvent the wheel; the document was very easy to follow, no reason to put it in any other way.
0
 
ashwanijainAuthor Commented:
THats correct but not excatly in all situations and conditions.  I also googled and found many such documents.  But why I come to Experts-Exchange is that some experts could give solutions based on his own experience.  Understand my issue and provide direct answers/solutions (command and steps) to fix the the issue, but if he again diverting to docs than why to come to experts exchange, I could google around and find such docs.  

Secondly, the document referred by the expert was helpful to understand the issue and fix it, he also helped in clearing up some confusion arising after reading the doc but still that doc did not tell specific command to change values for synack_backlog size and synack_retries.  Changing the values for two entries was the exact solution.  If I could get to know by the Experts that just go and change values for these two variables (also steps to change these) than it could have saved much of my time.

Still I say woolnair helped me a lot by replying quickly to all my queries.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now