LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2946|回复: 8

如何解决SYN_RECV攻击

[复制链接]
发表于 2006-1-6 02:20:36 | 显示全部楼层 |阅读模式
听别人说最好的办法是买硬件防火墙,但那玩意实在太贵了
请问各位朋友有什么方法利用软件防火墙或修改命令来抵挡住小量的SYN_RECV攻击
谢谢大家先
发表于 2006-1-6 18:19:25 | 显示全部楼层
connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
        --connlimit-mask 24 -j REJECT
回复 支持 反对

使用道具 举报

发表于 2006-1-6 18:20:32 | 显示全部楼层
dstlimit - iptables dstlimit match
Author: Harald Welte <laforge@netfilter.org>
Status: Deprecated by hashlimit

This patch adds a new match called 'dstlimit'.  
The idea is to have something like 'limit', but either per
destination-ip or per (destip,destport) tuple.

It gives you the ability to say
        '1000 packets per second for every host in 192.168.0.0/16'
        '100 packets per second for every service of 192.168.1.1'

Parameters are:
        --dstlimit <rate>
                A rate just like the limit match
        --dstlimit-burst <num>
                Burst value, just like limit match
        --dstlimit-mode destip | destip-destport
                Limit per IP or per port
        --dstlimit-name foo
                The name for the /proc/net/ipt_dstlimit/foo entry
        --dstlimit-htable-size <num>
                The number of buckets of the hash table
        --dstlimit-htable-max <num>
                Maximum entries in the hash
        --dstlimit-htable-expire <num>
                After how many miliseconds do hash entries expire
        --dstlimit-htable-gcinterval <num>
                How many miliseconds between garbage collection intervals
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-1-7 16:11:55 | 显示全部楼层
谢谢dancingpig回答
我先研究一下,不懂再向你请教,非常感谢
回复 支持 反对

使用道具 举报

发表于 2006-1-12 23:41:11 | 显示全部楼层
不如开启snycookie吧,对小量的,还有些用
回复 支持 反对

使用道具 举报

发表于 2006-2-10 13:26:49 | 显示全部楼层
直接用shell写基于iptable的连动脚本,跑在后台,定时检测可以有效控制攻击
回复 支持 反对

使用道具 举报

发表于 2006-2-10 15:44:25 | 显示全部楼层
Post by bend
不如开启snycookie吧,对小量的,还有些用


我也觉得是这样的。。
回复 支持 反对

使用道具 举报

发表于 2006-2-13 11:22:25 | 显示全部楼层
syncookie只是检测机制而且严重修改标准tcp,不是个很好的办法
回复 支持 反对

使用道具 举报

发表于 2006-2-14 09:24:50 | 显示全部楼层
摘自 http://cr.yp.to/syncookies.html

.
.

A SYN flood is simply a series of SYN packets from forged IP addresses. The IP addresses are chosen randomly and don't provide any hint of where the attacker is. The SYN flood keeps the server's SYN queue full. Normally this would force the server to drop connections. [color="Red"]A server that uses SYN cookies, however, will continue operating normally. The biggest effect of the SYN flood is to disable large windows.

.
.
.

A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry Metzger) have been spreading misinformation about SYN cookies. Here are some of their bogus claims:

[color="Red"]    * SYN cookies ``present serious violation of TCP protocol.'' Reality: SYN cookies are fully compliant with the TCP protocol. Every packet sent by a SYN-cookie server is something that could also have been sent by a non-SYN-cookie server.
    * SYN cookies ``do not allow to use TCP extensions'' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed.
    * SYN cookies cause ``massive hanging connections.'' Reality: With or without SYN cookies, connections occasionally hang because a computer or network is overloaded. Applications deal with this by simply dropping idle connections.
    * SYN cookies cause ``serious degradation of service.'' Reality: SYN cookies improve service. They do take a small amount of CPU time to compute, but that CPU time has to be spent anyway for hard-to-predict sequence numbers; see RFC 1948.
    * SYN cookies cause ``magic resets.'' Reality: SYN cookies never cause resets.
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表