Discussion:
[squid-users] SYN flooding
(too old to reply)
w***@yanbulink.net
2006-06-20 11:29:58 UTC
Permalink
Hi all,

I can see a message on my log files "possible SYN flooding on port 8080.
Sending cookies." not on access.log and cache.log, but I've seen this on the
message.log.

Is this a big problem? how can I prevent this?

Thanks,

Wennie
Emilio Casbas
2006-06-20 11:30:06 UTC
Permalink
Post by w***@yanbulink.net
Hi all,
I can see a message on my log files "possible SYN flooding on port 8080.
Sending cookies." not on access.log and cache.log, but I've seen this on the
message.log.
Is this a big problem? how can I prevent this?
Thanks,
Wennie
You can enable syn-cookies (prevent syn-flood attacks):
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies

or

reduce number of possible SYN Floods:
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

you can need a iptables script and see the 'limit' module in iptables.

Thanks
Emilio C.
w***@yanbulink.net
2006-06-20 11:54:44 UTC
Permalink
I check my Squid and I have exact values as you mention on tcp_syncookies and
tcp_max_syn_backlog

$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

I will check how can I implement it on iptables or if you have link can please
forward it to me.

Thanks again,

Wennie
Post by Emilio Casbas
Post by w***@yanbulink.net
Hi all,
I can see a message on my log files "possible SYN flooding on port 8080.
Sending cookies." not on access.log and cache.log, but I've seen this on
the
Post by w***@yanbulink.net
message.log.
Is this a big problem? how can I prevent this?
Thanks,
Wennie
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
or
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
you can need a iptables script and see the 'limit' module in iptables.
Thanks
Emilio C.
Emilio Casbas
2006-06-20 12:51:15 UTC
Permalink
Post by w***@yanbulink.net
I check my Squid and I have exact values as you mention on tcp_syncookies and
tcp_max_syn_backlog
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
I will check how can I implement it on iptables or if you have link can please
forward it to me.
Thanks again,
Wennie
it can be useful;
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5
But from here, this is more a iptables question.

Thanks
Emilio C.
Post by w***@yanbulink.net
Post by Emilio Casbas
Post by w***@yanbulink.net
Hi all,
I can see a message on my log files "possible SYN flooding on port 8080.
Sending cookies." not on access.log and cache.log, but I've seen this on
the
Post by w***@yanbulink.net
message.log.
Is this a big problem? how can I prevent this?
Thanks,
Wennie
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
or
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
you can need a iptables script and see the 'limit' module in iptables.
Thanks
Emilio C.
Craig Home
2006-06-20 15:21:48 UTC
Permalink
Please help me unsubscribe from this list. I have tried asking for help now
5 times.

many thanks

Craig
Post by Emilio Casbas
Post by w***@yanbulink.net
I check my Squid and I have exact values as you mention on tcp_syncookies and
tcp_max_syn_backlog
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
I will check how can I implement it on iptables or if you have link can please
forward it to me.
Thanks again,
Wennie
it can be useful;
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5
But from here, this is more a iptables question.
Thanks
Emilio C.
Post by w***@yanbulink.net
Post by Emilio Casbas
Post by w***@yanbulink.net
Hi all,
I can see a message on my log files "possible SYN flooding on port 8080.
Sending cookies." not on access.log and cache.log, but I've seen this on
the
Post by w***@yanbulink.net
message.log.
Is this a big problem? how can I prevent this?
Thanks,
Wennie
$ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
or
$ echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
you can need a iptables script and see the 'limit' module in iptables.
Thanks
Emilio C.
Neil A. Hillard
2006-06-20 16:08:01 UTC
Permalink
Craig,
Post by Craig Home
Please help me unsubscribe from this list. I have tried asking for help
now 5 times.
Read the SMTP headers.


Neil.
--
Neil Hillard ***@whl.co.uk
Westland Helicopters Ltd. http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
Henrik Nordstrom
2006-06-20 19:48:12 UTC
Permalink
Post by Emilio Casbas
you can need a iptables script and see the 'limit' module in iptables.
Don't do that. It causes more damage than good leaving your system
easily vulnerable to DoS by SYN-Flooding. syn cookies alone solves the
SYN-flood problem very nicely and efficiently.

The log message should be taken more as a hint that you may want to
investigate the current network traffic as there maybe is something
broken (bad cable or similar) OR someone actually trying to SYN-flood
you. But it could also simply be that the server is overloaded. So it's
a hint that the traffic may need to be looked into, not a rule or even a
strong indication of problem.

Regards
Henrik

Loading...