Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 473
  • Last Modified:

How to defend against a sync flood attack?

Hello, I heard on the sync flood attack which is being used for the DOS (Denial of Service). Is there a way in Linux we can prevent it? Thanks!
0
beer9
Asked:
beer9
  • 3
  • 3
1 Solution
 
woolmilkporcCommented:
Hi,

this is the official CERT advisory.

http://www.cert.org/advisories/CA-1996-21.html

Basically it says that ...

There is, as yet, no generally accepted solution to this problem with the current IP protocol technology. However, proper router configuration can reduce the likelihood that your site will be the source of one of these attacks.

wmp
0
 
Hugh FraserConsultantCommented:
The advisory also gives some advice for configuring routers  to reduce the effectiveness of an attack. Keep in mind that the attack relies on the use of a source address that won't complete the three-way handshake, so the use of non-routable addresses is common and easily filtered.

In addition, most firewalls or intrusion prevention systems offer some detection and connection throttling to protect downstream systems.
0
 
beer9Author Commented:
Do we have any tool on hosts (linux box) which can help us to prevent/defend this attack? what I should do if I notice this attack?

I am curious to know if anything I can do at hosts level.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Hugh FraserConsultantCommented:
Iptables is a powerful tool for defending against several attacks. Beyond simple rules to deny connections from non-routable addresses, it also provides features like connection throttling to limit the effectiveness of these attacks. There are several web sites with details on how to block things like Xmas attacks, etc..

Add a tool like ossec to watch the logs created by iptables to give you a heads up when something's going on.

Finally, there's no substitute for a dedicated ips/firewall to take the brunt of this and offload your apps servers and workstations. There are plenty of opensource solutions, many based on tools like snort.
0
 
beer9Author Commented:
Hi hfraser, When you say "Keep in mind that the attack relies on the use of a source address that won't complete the three-way handshake, so the use of non-routable addresses is common and easily filtered."

then i think you are talking about private-ip address (non-routable). But if my laptop has private IP address and it is behind a wifi router and using NAT. so does it mean iptables on web server on which I am sending the request can filter my traffic?? Thanks!
0
 
Hugh FraserConsultantCommented:
Since the syn flood relies on a source ip that cannot complete the handshake, any impossible-to-reach address will do. Usually, you will filter traffic from private-ip ranges only on your border device like your WiFi router or a firewall. It's not a technique that applies to your laptop.

Keep in mind there are several private-ip ranges, so even if you're using 192.168 internally, you can still filter out the other ranges.
0
 
beer9Author Commented:
Thank you! :-)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now