如何解决SYN_RECV攻击

winkid

听别人说最好的办法是买硬件防火墙,但那玩意实在太贵了
请问各位朋友有什么方法利用软件防火墙或修改命令来抵挡住小量的SYN_RECV攻击
谢谢大家先

dancingpig

connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
        --connlimit-mask 24 -j REJECT

dancingpig

dstlimit - iptables dstlimit match
Author: Harald Welte <laforge@netfilter.org>
Status: Deprecated by hashlimit

This patch adds a new match called 'dstlimit'.  
The idea is to have something like 'limit', but either per
destination-ip or per (destip,destport) tuple.

It gives you the ability to say
        '1000 packets per second for every host in 192.168.0.0/16'
        '100 packets per second for every service of 192.168.1.1'

Parameters are:
        --dstlimit <rate>
                A rate just like the limit match
        --dstlimit-burst <num>
                Burst value, just like limit match
        --dstlimit-mode destip | destip-destport
                Limit per IP or per port
        --dstlimit-name foo
                The name for the /proc/net/ipt_dstlimit/foo entry
        --dstlimit-htable-size <num>
                The number of buckets of the hash table
        --dstlimit-htable-max <num>
                Maximum entries in the hash
        --dstlimit-htable-expire <num>
                After how many miliseconds do hash entries expire
        --dstlimit-htable-gcinterval <num>
                How many miliseconds between garbage collection intervals

winkid

谢谢dancingpig回答
我先研究一下,不懂再向你请教,非常感谢

bend

不如开启snycookie吧，对小量的，还有些用

geminis

直接用shell写基于iptable的连动脚本，跑在后台，定时检测可以有效控制攻击

晨想

Post by bend
不如开启snycookie吧，对小量的，还有些用

我也觉得是这样的。。

dancingpig

syncookie只是检测机制而且严重修改标准tcp，不是个很好的办法

晨想

摘自 http://cr.yp.to/syncookies.html

.
.

A SYN flood is simply a series of SYN packets from forged IP addresses. The IP addresses are chosen randomly and don't provide any hint of where the attacker is. The SYN flood keeps the server's SYN queue full. Normally this would force the server to drop connections. [color="Red"]A server that uses SYN cookies, however, will continue operating normally. The biggest effect of the SYN flood is to disable large windows.

.
.
.

A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry Metzger) have been spreading misinformation about SYN cookies. Here are some of their bogus claims:

[color="Red"]    * SYN cookies ``present serious violation of TCP protocol.'' Reality: SYN cookies are fully compliant with the TCP protocol. Every packet sent by a SYN-cookie server is something that could also have been sent by a non-SYN-cookie server.
    * SYN cookies ``do not allow to use TCP extensions'' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed.
    * SYN cookies cause ``massive hanging connections.'' Reality: With or without SYN cookies, connections occasionally hang because a computer or network is overloaded. Applications deal with this by simply dropping idle connections.
    * SYN cookies cause ``serious degradation of service.'' Reality: SYN cookies improve service. They do take a small amount of CPU time to compute, but that CPU time has to be spent anyway for hard-to-predict sequence numbers; see RFC 1948.
    * SYN cookies cause ``magic resets.'' Reality: SYN cookies never cause resets.