How to Prevent SYN Flood Attacks in Linux

Posted on by Rimsha Ashraf

As businesses become more reliant on delivering services through the Internet, distributed denial of service (DDoS) assaults are becoming more widespread. The concept of SYN flood attacks is not new, and it has been around for ages. It was one of the techniques available to hackers even before the world wide web was born. 

With time the system to protect from this attack became more well defined and better tested. This article will give you a few approaches to protecting yourself or your network from such an attack.

What is an SYN Flood Attack?

An SYN flood (half-open attack) is a denial-of-service (DDoS) attack aiming to make the server unavailable to authorized traffic by consuming all available server resources.

An SYN flood works by not responding to the server with the expected ACK code after sending a synchronized packet (SYN) as part of the TCP three-way handshake. The server will wait for a response from the client, and if none comes, the connection times out.

Source: thepythoncode.com

This can be exploited to cause the server to wait for incoming connections without closing them and therefore keep its internal connection table full, preventing it from receiving any more connections. The business will not be able to reply even to legitimate clients.

How Does the SYN Flood Attack Work?

SYN flood is a type of denial-of-service attack where a hacker sends a succession of SYN requests to the target’s system. It consumes server resources to make the system unresponsive to permissible traffic.

Malicious hackers often use SYN flood attacks as a preliminary step toward other, more severe attacks. An SYN flood attack can also be launched as part of a distributed denial-of-service (DDoS) attack, in which the attacker uses multiple computers to launch the onslaught simultaneously.

For the TCP/IP communications protocol suite to function appropriately, three steps must occur before two computers can communicate.

  • The first computer, which initiates the connection, sends out an SYN request.
  • The second computer responds with its own SYN request and an acknowledgment of receipt for the first one.
  • Finally, the first computer acknowledges receipt of the second one. This whole process is known as the three-way handshake.

Preventing SYN Flood Attacks

SYN flooding is a denial-of-service attack. An attacker sends a succession of SYN requests to a target’s system to consume enough server resources to make the system unresponsive to legitimate traffic. Here are some steps to prevent a SYN flood attack in Linux.

1. Detecting the SYN Flood Attack

The first step is to detect the attack. You need to look at your network traffic with tcpdump or Wireshark to do so. You can also use the following netstat command:

$ netstat -tuna | grep :80 | grep SYN_RECV

The server could be under SYN Flood attack if it exhibits a lot of connections with this condition, as seen above. You can halt a direct attack with many SYN_RECV packets from a single IP address by adding that IP address to the firewall.

In the above command, we’ve used port 80 for demonstration purposes, but SYN flooding attacks can be in any open port of your system.

2. Blocking IP Addresses

If your server has an APF or CSF firewall installed, you can do so by running the following command:

$ apf -d IPADDRESS 
$ csf -d IPADDRESS

You can simply install apf using the following command:

$ sudo apt install apf-firewall

3. Boosting the Backlog Queue

As SYN backlog, each OS allows a fixed amount of RAM to keep half-open connections. When the limit is reached, the connection is cut off. To combat SYN assaults, we can increase the backlog limit to prevent legitimate connections from being denied.

In Linux systems, the SYN Backlog Queue size is set as:

  • Run the command # cat /proc/sys/net/ipv4/tcp_max_syn_backlog.
  • Set the TCP backlog queue size.
  • In a text editor, open the /etc/sysctl.conf file.
  • Add the following line to the file to set the default queue size of the TCP backlog:
  • net.ipv4.tcp_max_syn_backlog=1280
  • Save modifications and then close the file.
  • Run  # sysctl -p to apply configurations.

Alternatively, you can use the sysctl command as you’ll see in the upcoming section.

4. Recycling the Oldest Half-open Connections

Reusing the memory of the SYN backlog by removing the oldest half-open connection is another method of SYN assault defense. This frees up room for new connections while also ensuring that the system stays operational during floods to a certain extent. For high-volume SYN flood DDoS attacks, this mitigating method is unsuccessful.

5. Setting SYN Cookies

SYN cookies are an innovative method of thwarting SYN flood attacks. Rather than allocating memory for each connection attempt, SYN cookies allocate a sequence number to track the connection. That sequence number is returned in the TCP SYN-ACK response to the client, and the server uses it to validate subsequent ACKs from that client. It has a couple of important benefits as follows.

  • It doesn’t consume kernel memory per connection attempt, so it can handle unlimited SYN floods without a problem.
  • It’s more secure than regular cookies because it prevents spoofing (an attacker can’t hijack another user’s session).
  • SYN cookies are enabled by default on most Linux systems, and this is why you may have noticed that your server didn’t crash during the attack earlier in this article.

You can set up SYN cookies using sysctl command, as you’ll see in the next section.

6. Firewall Filtering

Detect and filter SYN packets with the firewall enabled. All types of DDoS assaults, including packet sweeps, flooding, and unwanted port scanning, can be prevented or limited by configuring the firewall using ufw, apf, csf or iptables.

What to do if SYN Flood Attack Occurs?

Follow these steps in case an SYN flood attack occurs:

  • Reduce SYN timeout
$ iptables -A FORWARD -p TCP –syn -m limit –limit 1/s -j ACCEPT
$ iptables -A INPUT -i eth0 -m limit –limit 1/sec –limit-burst 5 -j ACCEPT
  • Up to 3 per packet SYN
$ iptables -N syn-flood
$ iptables -A INPUT -p tcp –syn -j syn-flood
$ iptables -A syn-flood -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
$ iptables -A syn-flood -j REJECT
  • Set SYN cookies
$ sysctl -w net.ipv4.tcp_syncookies=1
$ sysctl -w net.ipv4.tcp_max_syn_backlog=3072
$ sysctl -w net.ipv4.tcp_synack_retries=0
$ sysctl -w net.ipv4.tcp_syn_retries=0
$ sysctl -w net.ipv4.conf.all.send_redirects=0
$ sysctl -w net.ipv4.conf.all.accept_redirects=0
$ sysctl -w net.ipv4.conf.all.forwarding=0
$ sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
  • Preventing the ping command
$ sysctl -w net.ipv4.icmp_echo_ignore_all=1
  • Block specific IP range
$ iptables -A INPUT -s 192.168.5.1/8 -i eth0 -j Drop

Conclusion 

This is a simple guide on preventing SYN Flood attacks in Linux. Protecting yourself from Syn Flood attacks is a relatively easy process that can be accomplished in minutes once you understand how the process works. This article has explained SYN flood attack Linux in detail and showed ways to prevent it. 

Learn also: How to Transfer Files using Rsync in Linux