Archive

Articles taggués ‘ddos attack’

Homemade DDoS Protection Using IPTables SYNPROXY

03/11/2015 Comments off

Homemade DDoS Protection Using IPTables SYNPROXY

ddos attackFirst off, if you want the real deal and get your service DDoS protected from even the most complex types of DDoS attacks by security specialists today, don’t bother reading about SYNPROXY and instead check out our Anti DDoS Hosting and Remote DDoS Protection. If you feel confident that you can use SYNPROXY as an addition to your current DDoS mitigation strategy and are an experienced system or network admin, continue reading.

It’s nothing new that DDoS attacks are increasing constantly in size and quantity over the years, making them more likely to affect you personally every month passing by. Apart of DNS Amplifictation Attacks, SYN Floods are one of the most common DDoS attack types today. Until recently Linux systems were very bad at handling SYN Floods properly compared to *BSD, which has a SYN Proxy feature built into its default firewall « PF » for quite a while now, which is a good approach for SYN Flood DDoS mitigation. The Linux default firewall « IPTables » hasn’t had a similar feature for a long time and the only approach to mitigate SYN Floods was the Kernel’s « syncookie » feature, which isn’t by far as performant as one would wish when under SYN Flood.

Finally, after years of lacking appropiate SYN Flood mitigation options under Linux, the new « SYNPROXY » target was introduced with the 3.12 kernel and IPTables version 1.4.21 trying to fill that gap quite successfully. Although it’s not a cure for every SYN Flood, because most ISPs are likely to nullroute your IP before the attack clogs your TCP/IP stack and probably your NIC will cause interrupts before your kernel, but tests have shown that there is a major increase of performance when under SYN Flood, SYN-ACK Flood or ACK Flood.

While a Linux kernel with default settings usually starts to cause software interrupts and starts dropping packets at as little as 200.000 packets per second (PPS), it can handle multiple millions of packets per second with the strategy explained in this tutorial. The number of SYN packets it can handle per second increases by a factor of 10 and the number of ACK packets it can handle per second even increases by a factor of 20, which can be a major advantage when you have to handle large amounts of packets (read: you’re under SYN or ACK Flood).

IPTables « SYNPROXY » on Debian Wheezy
In this example we’ll use a Debian Wheezy system for our setup. I can imagine this being used on Vyatta boxes in the future to effectively protect whole network segments with very cheap hardware. The first things we’ll have to do is to upgrade our kernel and iptables version.

Lire la suite…