I would use a firewall at the network perimeter to prevent\remediate SYN flood attacks (as well as DOS, DDOS, spoofing, port probes, address space probes, etc.). I don't want this type of stuff getting into my internal network, where I'll have to deal with it on a machine by machine basis.
OK, so I asked same question on webhostingtalk and though didn't get a direct answer it helped to widen the horizon :)
Basically, I ignored application level (webserver) limits. But this nice gentlemen from Netherland dug deeper and posted his very relevant findings here:
http://blog.dubbelboer.com/2012/04/09/syn-cookies.html
Basically the web server (I was using the nginx) is passing a constant (listen backlog limit) to listen function, it is defined here:
https://github.com/git-mirror/nginx/...x_config.h#L97
define NGX_LISTEN_BACKLOG 511
So kernel limits are not even in play yet.
Nginx constant is compiled in so I quickly checked apache - luckily it is configurable:
http://httpd.apache.org/docs/2.0/mod...#listenbacklog
So I set it to 8k and got what I needed (well, 2 packets lost:
source:
hping -S -c 20000 -i u20 -p 80 target
target:
netstat -nta | grep SYN_RECV | wc
8192 49152 729088
Finally, my original 256 connections limit was actually due to the fact that I initially sent requests to port 22 (and sshd obviously has tcp connection backlog set at 256).
Best Answer
Yes, it is possible to re-compile the kernel with the protections for the Syn Flood attacks, but I don't see a reason for the same.
You need to re-compile the kernel in systems which don't have the capability to change kernel parameters by commands. But if you still want to do that, then you need to change the C code in the kernel.
For example, in Digital Unix, you change the two parameters in header files and then rebuild the operating system. In
/usr/sys/include/sys/socket.h
, change theSOMAXCONN
definition so the 8 becomes 1024.In
/usr/sys/include/netinet/tcp_timer.h
change theTCPTV_KEEP_INIT
definition from75*PR_SLOWHZ
to25*PR_SLOWHZ
.Then rebuild the kernel using Digital Unix procedures, which are unique to this Unix version.
You can also rebuild the kernel changing these same two parameters with Berkeley-derived Unix system.
However, they're found in different locations, namely
/usr/src/sys/netinet/tcp_timer.h
and/usr/src/sys/sys/socket.h
.After reading this, if you feel that you don't need to re-compile the kernel then use the following options to mitigate the syn flood attacks.
To make the changes persistent across reboots, put these entries into
/etc/sysctl.conf
fileYou can read more details about these at these URLs:
Hope this answers your question. Feel free to comment if you need more clarifications.