Iptables and SYN flood?

N

NikoB2012-04-02 12:16:41

DDoS Protection

NikoB, 2012-04-02 12:16:41

There is currently a SYN flood attack on my server. And only from one ip-address, but the server is still regularly " silent " for 5-7 minutes, and then available for 15-20 seconds.
I entered this IP into iptables with the following command:

iptables -A INPUT -p all -s 178.173.168.238 -j DROP

But still a bunch of SYN_RECV from this IP appears in netstat . When iptables -L INPUT outputs , this IP is there! How to block all connections from this IP???

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

nick5, 2012-04-02
@NikoB

Is 178.173.168.238 the attacker's IP address? Access it through a browser.
Enter admin:admin... You won't believe it...

M

mihavxc, 2012-04-03
@mihavxc

I have it like this:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN - j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

X

xandr0s, 2012-04-02
@xandr0s

If this is a SYN flood, maybe it makes sense to write rules specifically for the SYN, ACK SYN… flags?