Protecting a server from DDOS and SYN Floods

Portal Home > Knowledgebase > Articles Database > Protecting a server from DDOS and SYN Floods

Posted by zhuki, 04-05-2010, 10:37 AM
Hey everyone. I've been reading the threads here on the forums about protecting a vertual dedicated server from syn flood attacks and ddos attacks. I have tried those iptable solutions to block syn packets but they usually slow down the whole loading of the site or lock it for me aswell without an attack actually taking place. Anyway could someone take me to a good tutorial how i can set a good firewall up on the virtual dedicated server. It is running CentOS Linux 5.2 sorry im quite new to linux and all this. thanks in advance.
Posted by shawn_linux, 04-05-2010, 01:52 PM
ou can install csf and mod_evasive to stop ddos attacks. For syc floods adjust iptables
Posted by RDOSTI, 04-05-2010, 04:04 PM
You can also install good security tools and firewalls but be sure to ensure they dont mess with your other software/scripts/websites.
Posted by keserhosting, 04-06-2010, 02:28 AM
I assured that the CSF firewall works great against doss attack. Use good mod_security rules with the firewall this will help great.
Posted by ksv2nash, 04-06-2010, 03:47 AM
Hello, For protect you server against DDOS and SYN Floods you can install CSF, install mod_security and you do Server audit from any Admin. Thank you.
Posted by zhuki, 04-06-2010, 05:25 AM
I installed csf , but sometimes i get errors , saying that i have to start it manually. Could someone point me to a tutorial maybe on how do i tweak the right settings? I also can test it with a botnet to ddos the server. Thanks in advance.
Posted by ksv2nash, 04-06-2010, 05:59 AM
Hello, Once CSF gets installed, edit the configuration file of CSF: cd /etc/csf vi csf.conf And make CSF active by editing the file and putting a '0' in line: TESTING = "1" Save the file and exit the file.
Posted by zhuki, 04-06-2010, 06:12 AM
the problem is that i think its not working correctly. I have also installed webmin to manaage the firwall. Anyway heres what happens when i enter csf -r I left testing mode on to clear the firewall every 5 mins incase i lock myself out.
Posted by ksv2nash, 04-06-2010, 06:14 AM
Hello, Have you enable csf ?
Posted by zhuki, 04-06-2010, 06:19 AM
i think so, in ssh i typed csf -r < think that is to restart it but there that warning about virtuozzo vps i get and could you guide me how to configure it to deny ssyn flood attacks (and other possibly) Thanks
Posted by ksv2nash, 04-06-2010, 06:24 AM
Hello, Can you show me csf.conf config?
Posted by ksv2nash, 04-06-2010, 06:25 AM
Hello, If you are still running APF and BFD on your server it is necessary to disable those applications: sh disable_apf_bfd.sh
Posted by zhuki, 04-06-2010, 06:48 AM
Hi, yes i disabled apf by using apf --stop also here is my config *pastebin.com/jSxDgW4D for some reason vbulletin wont let me post code anymore. anyway theres the pastebin link Sorry again for the noob questions, im really new to linux
Posted by ksv2nash, 04-06-2010, 06:53 AM
Hello, now what exactly you want to do ?
Posted by zhuki, 04-06-2010, 08:20 AM
i want to stop ssyn floods from crashing down my server. I have tested it with a few bots and like 10 of them can get it down. Whats the best way to achieve that?
Posted by ksv2nash, 04-06-2010, 08:22 AM
Hello, For that do you need Admin. have you did mod_security for your server?
Posted by zhuki, 04-06-2010, 08:24 AM
how would i check , im sorry i dont really know much on this :$ edit: my server is a virtual dedicated server hosted at mediatemple btw Last edited by zhuki; 04-06-2010 at 08:29 AM.
Posted by ksv2nash, 04-06-2010, 08:31 AM
Hello, Then you can tell him to do
Posted by zhuki, 04-06-2010, 08:34 AM
i dont think they offer support, besides i have root access. how would i check for that mod_security if it is installed?
Posted by ksv2nash, 04-06-2010, 08:35 AM
Hello, Would u like to show me ur my.cnf?
Posted by zhuki, 04-06-2010, 08:41 AM
i Assume its this?
Posted by ksv2nash, 04-06-2010, 08:42 AM
Hello, Do u need admin to do this.
Posted by zhuki, 04-06-2010, 08:46 AM
i want to do it myself , as im just in a testing enviroment, there is actually no big site hosted there, im just testing out how to prevent this so i can implement on other servers.
Posted by ksv2nash, 04-06-2010, 08:50 AM
Hello, use this my.cnf actually i charge for this but i am giving u for free ok Once u take this then tell me pico /etc/my.cnf delete all lines in it and then paste following ------------------------------------------------------ [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock max_user_connections=25 max_connections=500 interactive_timeout=10 wait_timeout=10 connect_timeout=10 thread_cache_size=128 key_buffer=16M join_buffer=1M max_allowed_packet=16M table_cache=1024 record_buffer=1M sort_buffer_size=2M read_buffer_size=2M max_connect_errors=10# Try number of CPU's*2 for thread_concurrencythread_concurrency=8 myisam_sort_buffer_size=64M #log-binserver-id=1 old-passwords = 1 [mysql.server] user=mysqlbasedir=/var/lib [safe_mysqld] err-log=/var/log/mysqld.log pid-file=/var/lib/mysql/mysql.pid open_files_limit=8192 [mysqldump] quickmax_allowed_packet=16M [mysql] no-auto-rehash #safe-updates [isamchk] key_buffer=64M sort_buffer=64M read_buffer=16M write_buffer=16M [myisamchk] key_buffer=64M sort_buffer=64M read_buffer=16M write_buffer=16M [mysqlhotcopy] interactive-timeout
Posted by zhuki, 04-06-2010, 09:06 AM
ok done, how will this help me defeat ssyn floods tho, any explanations? thanks a lot for your quick replies.
Posted by ksv2nash, 04-06-2010, 09:08 AM
Hello, This is for optimizing mysql.
Posted by Lightwave, 04-06-2010, 10:41 AM
You really need to hire an admin or pick a hosting company which provides management... the fact that you're applying completely random things that someone is telling you without having any clue what it does, or what it's for... is bad. You're going to end up breaking more things than you fix. I thought I had replied to your thread when you first posted... but honestly, with so many trolls lately on WHT... I figured you were just another person pretending to be dumb and get a laugh. "I have tried those iptable solutions to block syn packets but they usually slow down the whole loading of the site or lock it for me aswell without an attack actually taking place." Duh. Trying to solve your headache by giving yourself a lobotomy is not the correct way.
Posted by zhuki, 04-07-2010, 04:35 AM
ok thanks for your help. No one was born wise so i thought I'd get someone here to guide me since this forum seemed to be the right place. I guess ill have to continue googleing and reading for the answers. cheers anyway.
Posted by jon-f, 04-07-2010, 11:31 AM
with syn flood, you wanna make sure your tcp stack is tuned correctly to handle all the connections but you also wanna make sure you ban the offending ips fast enough too. ON csf I recommend using ct_states NEW,ESTABLISHED,SYN_RECV and using a ct_limit of 15, ct_perm set to 1. If you check dmesg and see lots of messages about dropped packets due to conntrack entries then you need to up that before all. But about everything will need raised in sysctl.conf So google "tcp stack tuning"
Posted by ZKuJoe, 04-08-2010, 05:07 AM
Wow, did I just read 2 pages of people suggesting to use a software firewall and IPTables to prevent a DDOS attack? And some person claiming to be a server admin that is giving MySQL optimization tips to mitigate DDOS and SYN attacks? Wow, just wow.
Posted by Sileep Kumar M S, 04-08-2010, 09:47 AM
hehe
Posted by MrSaints, 04-09-2010, 07:35 AM
Let's all be honest with each other. The only and best way to mitigate any DDoS attacks, yes DDoS, not a simple DoS, is through a HARDWARE Firewall. Many people provide such service - e.g. Protection via Proxy, DNS Protection, they are just very expensive most of the time. Even with mod_evasive, mod_ddos, etc, your server will still be 'affected' by the 'hits' or 'floods', it simply blocks traffic on a software basis. CSF is the best way around for a 'software' protection as well as fine tuning your network configuration. Besides, if it was a DDoS attack, your iptables will be flooded with IPs which may potentially affect your server's performance - obviously most DDoS attacks are achieved through zombie computers. Just don't create enemies Otherwise if it was a simple DoS attack, just nullroute the IP.
Posted by RDOSTI, 04-09-2010, 07:37 AM
Agreed. But for those who just can't afford the hardware go with atleast a software. Most datacenters now are equipping themselves with a basic hardware firewall or security setup. Though those that aren't charge extra.
Posted by paladinstrike, 04-09-2010, 08:20 PM
csf is a good product but you have to understand what you are doing. It is VERY configurable. You can't just enable it and expect what you want to happen. You have to configure the settings to block floods if that is what you want. It has a bunch of different parameters for this, port scan blocking, connection tracking/limiting, firewall deny blocking, syn blocking, , etc etc.
Posted by paladinstrike, 04-09-2010, 08:41 PM
DDOS no. If a DDOS reaches the server level that's pretty much it. However a software firewall can definitely mitigate a syn flood attack, as long as the amount of traffic it's getting isn't on the order of a DDOS. Syn flood works by clogging up tcp with half open connections. If they are blocked at the firewall the connection isn't left open.
Posted by Andrew Moore, 04-09-2010, 08:41 PM
I also would recommend using CSF as said many times it is highly configurable and if you are using cPanel it has a plug for it, I use CSF for all my nodes and it has not failed me yet. If you do not configure it correctly it can do you good and bad for example blocking connections to places that it doesn't need too, So make sure you configure CSF correctly.
Posted by jon-f, 04-09-2010, 08:53 PM
Despite what some say you can fight off a good amount of ddos with your server using software. It all depends on the size and type of attack, size of your port, amount of resources, etc; But this does require lots of work, some downtime, maybe a lot of downtime and lots of hassle so it's really on whatever is in your budget. Ddos attacks hit you in your wallet more so then anything.
Posted by ZenMonk, 04-10-2010, 02:48 AM
More the RAM, more would be the number of connections that you can block via iptables as each tcp connection consumes roughly 67kb. Powefull processors and gigbit cards would help in repelling ddos attacks.