New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
2026 Massive syn reflection attack to brazil is effecting more vps.
The attack and coverage has been gone worse recently.
All of my US/CA instances have been used as trampoline to syn flood brazil subnets.
I had to block the whole brazil networks with iplist+gemini generated nftables rule.
I suggest you check if you are being affected by running ss -tin.
Are you forcefully taken part in the syn flood army?
- Are you forcefully taken part in the syn flood army?10 votes
- No. My instance havn't been discovered by the botnet.80.00%
- Yes. My instance is part of the botnet now.0.00%
- Yes. But my instance is somehow forgetten by the botnet now20.00%
Comments
Decrease net.ipv4.tcp_synack_retries, it is the best mitigation without blocking any legit user or additional computational overhead (IP list lookup)
Thought this before.
But I'm in china so decrease this might make more connection disruptive.
Remote party has own syn_retries, therefore it shouldn't be a bigger issue than whatever you are doing in my opinion.
Lowering net.ipv4.tcp_synack_retries can help in certain SYN flood / half-open connection scenarios, but it’s important to be clear about what it actually does and what trade-offs it introduces.
By default, Linux retries sending SYN-ACK packets several times when a client doesn’t complete the TCP handshake. Reducing tcp_synack_retries shortens how long the kernel keeps those half-open connections alive. That can slightly reduce resource pressure during SYN floods, since backlog entries are dropped faster.
I think block whole net is better.
There are like 300+ entries in ss output.
Since these forged are send to me 24x7,use this method is less useful and waste my bandwidth.
And my vps cpu will likely break down faster than the brazil victims down.
TCP stack is more complex than netfilter(which is already optimized a lot)
So what would be good value to set here ? In last 3/4 days my websites are all targeted so this would help.
I would like to note that if your website (your IP address) is targeted with TCP SYN flood attack, the better approach is usage of syncookies or even specialised ddos protection service depending on volume and/or your expertise.
However, if you see that you are likely being abused for TCP SYN-ACK reflection, I would advise to use value of zero. This will prevent packet count amplification (i.e. attacker with IP spoofing sending 1x TCP SYN to you and you sending 6x TCP SYN-ACK packets to the victim).
Thanks
I'm seeing the same issue on port 53.
I've blocked networks from Brazil using ipset and iptables, but OVH VAC is flooding my inbox… Crazy