DDOS attack defense system under CentOS

-Click to modify the/proc/sys/net/_max_syn_backlog parameter on the line, the default parameters are generally very small, is set to more than 8000, DDOS attacks can be solved in General. If the timeout period, you can set the/proc/sys/net/IPv4/tcp_fin_timeout point.
We are talking about DDOS, personally think that there is no real solution method, only in the buffer, and expanded on the defense, playing with hackers a psychological tactic to see who to the end, on-line also has a lot of practice, such as the syncookies, is complex.
sysctl -w net.ipv4.icmp_echo_ignore_all=1
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″
sysctl -w net.ipv4.tcp_synack_retries=”3″
iptables -A INPUT -i eth0 -p tcp –syn -j syn-flood
# Limit 12 connections per second (burst to 24)
iptables -A syn-flood -m limit –limit 12/s –limit-burst 24 -j RETURN
You can try this:
iptbales -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
Web hosting service provider in the course of operation may be subject to hacker attacks and common attack methods are SYN,DDOS, and so on.
By replacing the IP, find attack site could avoid attack, but a break in service for a long time. A more thorough solution is to install a hardware firewall. However, the hardware firewall is more expensive. May consider using the firewall features to protect against Linux system itself.
1. resist the SYN
SYN attack is using the principles of TCP/IP Protocol 3way handshake, sending a large amount of network packets to make the connection, but does not actually establish a connection, culminated in the attacked Server network queue is full and cannot be accessed by normal users.
Linux kernel provides a number of SYN configuration, using the command:
sysctl -a | grep syn
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
Tcp_max_syn_backlog SYN queue length tcp_syncookies is a switch that opens the SYN Cookie
Function, which can prevent some SYN attacks. Tcp_synack_retries SYN and tcp_syn_retries definition the number of retries.
Increase the SYN queue length number of network connections that can accommodate more waiting to connect, turn on the SYN Cookie feature can prevent some SYN attacks, reducing the number of retries will produce results.
Method of adjusting these settings are:
Increase the SYN queue length to 2048:
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
Turn on the SYN COOKIE feature:
sysctl -w net.ipv4.tcp_syncookies=1
Reduce the number of retries:
sysctl -w net.ipv4.tcp_synack_retries=3
sysctl -w net.ipv4.tcp_syn_retries=3
In order to keep this configuration system restart, the above command can be added to the/etc/rc.d/rc.local file
Netstat tool to detect SYN attack
# netstat -n -p -t
tcp0 0 SYN_RECV-
tcp0 0 SYN_RECV-
tcp0 0 SYN_RECV-
See LINUX system, lots of connections in the SYN_RECV State (on WINDOWS systems is in the SYN_RECEIVED State),
Source IP addresses is random, indicating that this is a SYN with IP spoofing attacks.
# netstat -n -p -t | grep SYN_RECV | grep :80 | wc -l
View on a port in a LINUX environment population not connected to the number of queue entries and displays the TCP port Kou 22 not connected number 324,
Although it is far less than the limit, but should draw the attention of administrators.
[root@pub wxjsr]# netstat -na | grep SYN_RECV
tcp 0 0 SYN_RECV
tcp 0 0 SYN_RECV
tcp 0 0 SYN_RECV
tcp 0 0 SYN_RECV
tcp 0 0
[root@pub wxjsr]# netstat -na | grep SYN_RECV |wc
11 66 979
View system SYN configuration
Linux kernel provides a number of SYN relative configuration commands: | grep syn
[root@metc apache2]# /sbin/sysctl -a | grep syn
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
fs.quota.syncs = 18
Protect against SYN attacks set
# Shorten SYN-Timeout time:
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit –limit 1/sec –limit-burst 5 -j ACCEPT
# Up to 3 SYN packets per second into the expression for:
iptables -N syn-flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -A syn-flood -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT
# Setting syncookies:
sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3000
/sbin/sysctl -w net.ipv4.tcp_synack_retries=1
/sbin/sysctl -w net.ipv4.tcp_syn_retries=1
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/Sbin/NET.IPv4.CONF.default.accept_source_route=0 # disable ICMP source route options
/Sbin/NET.IPv4.icmp_echo_ignore_broadcasts=1 # ignore the ICMP ping broadcast packets should be open
/Sbin/NET.IPv4.icmp_echo_ignore_all=1 # ignore all ICMP ping data, covering the previous item