New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SYN Flood Protection?
AsuraHosting
Member
Hey guys, I was wondering what you guys do to protect your server during an event of a SYN Flood? I know there's settings which can be set to help aid in handling the attack such as enabling syncookies, rejecting source routed packets, enabling rp_filter, and also increasing the ip_conntrack_max threshold; but is there any sure way to help prevent a SYN Flood?
I've done some research and saw that there's systems which sort of scan and block what's needed during that specific time, such as Floodmon; but I haven't tried it yet. Anyone have any suggestions as to what I could use to enhance protection specifically again SYN Floods?
Comments
Beware with using Floodmon's defaults. I'm not sure what the author's target system consisted of, but I found that the defaults were quite... strict. And ended up causing hard-to-diagnose connectivity issues. I guess the Internet was a different place back then.
Sounds like you're doing what you can for your server nodes themselves. We're using a Cisco ASA 5150 ahead of our router, for incoming-only. They're quite expensive, but work well. We got ours for quite cheap, otherwise I think I would have looked for a different solution. They're somewhat easy to set up, and this comes from someone who's not CC-anything certified.
@Damian, Thanks a lot for the info; I'm definitely going to have to look into getting informed about the hardware aspect of all of this.
How much throughput can sustain the 5150?
Oops, I meant 5510.. fingers got a little excited.
I think it's rated for 300mbit/sec. It's something we're considering when we upgrade to gigabit this year. We've run 100 mbit/sec through it no problem.
(edit) http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
(edit again) Please note that the 5510's target market is "small office".. but we've put it through it's paces and it's never coughed on us.
The really problem is when you go on 10G ports
switches are cheaper but firewalls and ids aren't...
These security appliance things do a good job. We tried to do this in software using Vyatta (not really within Vyatta's scope) and then m0n0wall. m0n0wall would have worked great if their developers would remove their head from their rectum... maybe they've improved by now.
The 5510 is around 500 quid on eBay, Not bad price for how beneficial it could be.
Security is everything - it gives you peace of mind :P