Two things you probably want to do:
1)
Enable Syn cookies (disables use of the TCP backlog). Its used in most
systems to reduce the effects of a SYN flooding attack.
2)
Contact your ISP. They can usually help you with such problems. In
general they are not happy with attacks directed to their networks.
- Joris
>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org
>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jonny K
>Sent: zondag 20 mei 2007 7:28
>To: netfilter@lists.netfilter.org
>Subject: Re: Help with DOS attack
>
>> it looks like someone dos attack my server any ideas how i
>can handle
>> it ?
>>
>> (i allready sysctl and change the backlog queue to 4096
>insted of 1024 and i mange SYN timeout to 9 sec)
>>
>> any other ideas ?
>>
>>
>> here is my netstat outputs
>>
>>
>> [root@MYHOST ~]# netstat -an | grep SYN_REC | wc
>> 372 2232 33108
>> [root@MYHOST ~]#
>>
>>
>>
>>
>> Ip:
>> 496709034 total packets received
>> 0 forwarded
>>
>> 0 incoming packets discarded
>> 496547054 incoming packets delivered
>> 389034562 requests sent out
>> 55 fragments dropped after timeout
>> 499 reassemblies required
>> 54 packets reassembled ok
>>
>> 55 packet reassembles failed
>> 2 fragments received ok
>> Icmp:
>> 17083 ICMP messages received
>> 25 input ICMP message failed.
>> ICMP input histogram:
>> destination unreachable: 11255
>>
>> timeout in transit: 1579
>> source quenches: 353
>> echo requests: 3880
>> echo replies: 16
>> 24339 ICMP messages sent
>> 0 ICMP messages failed
>> ICMP output histogram:
>> destination unreachable: 20459
>>
>> echo replies: 3880
>> Tcp:
>> 33725 active connections openings
>> 38693945 passive connection openings
>> 312156 failed connection attempts
>> 521243 connection resets received
>> 3 connections established
>>
>> 495811236 segments received
>> 388303537 segments send out
>> 14565173 segments retransmited
>> 10279 bad segments received.
>> 136512 resets sent
>> Udp:
>> 718164 packets received
>> 571 packets to unknown port received.
>>
>> 0 packet receive errors
>> 720360 packets sent
>> TcpExt:
>> 421 SYN cookies sent
>> 99 SYN cookies received
>> 43807 invalid SYN cookies received
>> 1188232 resets received for embryonic SYN_RECV sockets
>>
>> 14 packets pruned from receive queue because of socket
>buffer overrun
>> 221 ICMP packets dropped because they were out-of-window
>> 71 ICMP packets dropped because socket was locked
>> 34829434 TCP sockets finished time wait in fast timer
>>
>> 2 time wait sockets recycled by time stamp
>> 15358 packets rejects in established connections because
>of timestamp
>> 256833 delayed acks sent
>> 2653 delayed acks further delayed because of locked socket
>>
>> Quick ack mode was activated 119773 times
>> 74580 times the listen queue of a socket overflowed
>> 74580 SYNs to LISTEN sockets ignored
>> 39205589 packets directly queued to recvmsg prequeue.
>> 8376974 packets directly received from backlog
>>
>> 2265096902 packets directly received from prequeue
>> 806823 packets header predicted
>> 36687371 packets header predicted and directly queued to user
>> 238781476 acknowledgments not containing data received
>>
>> 125709890 predicted acknowledgments
>> 29275 times recovered from packet loss due to fast retransmit
>> 1927589 times recovered from packet loss due to SACK data
>> 1362 bad SACKs received
>> Detected reordering 6628 times using FACK
>>
>> Detected reordering 4312 times using SACK
>> Detected reordering 4875 times using reno fast retransmit
>> Detected reordering 11976 times using time stamp
>> 6435 congestion windows fully recovered
>>
>> 66640 congestion windows partially recovered using Hoe heuristic
>> TCPDSACKUndo: 957
>> 16664 congestion windows recovered after partial ack
>> 4188573 TCP data loss events
>> TCPLostRetransmit: 1192
>>
>> 5491 timeouts after reno fast retransmit
>> 260050 timeouts after SACK recovery
>> 200153 timeouts in loss state
>> 6505780 fast retransmits
>> 695080 forward retransmits
>> 4881678 retransmits in slow start
>>
>> 1084146 other TCP timeouts
>> TCPRenoRecoveryFail: 14786
>> 306771 sack retransmits failed
>> 2225 times receiver scheduled too late for direct processing
>> 294 packets collapsed in receive queue due to low socket buffer
>>
>> 121753 DSACKs sent for old packets
>> 64 DSACKs sent for out of order packets
>> 1007539 DSACKs received
>> 1099 DSACKs for out of order packets received
>> 10295 connections reset due to unexpected data
>>
>> 102 connections reset due to early user close
>> 64688 connections aborted due to timeout
>>
>>
>
>
|