Identifying SYN attack
====================
Load becomes very inconcistant
netstat -an | grep SYN (if long list SYN_REC)
netstat -n -p|grep SYN_REC|wc -l (gives count of SYN attacks)
also checking acces_logs (if perticular IP found to be requesting most
then can block that IP)
Yyou can go for below
====================
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
==============================
netstat -an | grep SYN | more
iptables -A INPUT -s IP -j DROP
iptables -A INPUT -s 168.75.16.116 -j DROP
iptables restart
Look for this lines in your /etc/httpd/conf/httpd.conf
Code:——————————————————————————–
# KeepAlive: Whether or not to allow persistent connections (more than
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
KeepAliveTimeout 15
——————————————————————————–
Set KeepAlive On to Off with your favorite text editor
that should work, if not you may be a victim of DoS attack
======================================================
echo 90 > /proc/sys/net/ipv4/tcp_keepalive_time