Syn Attack – 6 Months – Thousands Of Request A Second
Hi All,
For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.
e.g. http://www.example.com/rss123/attackedfilename.xml
Following we have done till now is mentioned below for the configurations.
sysctl.conf
fwsnort, bfd burnintest chkrootkit ddos faf lsm nobody_check sim apf
modsecurity-apache
Firewall: APF
Again,
Hope this helps you to see the issue in detail. I have also put the latest configurations to keep site going on.
Besides all these details, please let me know for any suggestion you think will be helpful or details you want.
Thank you for your help in advance! Help!
Regards,
Sam
Hi All,
For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.
e.g. http://www.example.com/rss123/attackedfilename.xml
Following we have done till now is mentioned below for the configurations.
sysctl.conf
Code:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# 65536 seems to be the max it will take
net.ipv4.ip_conntrack_max = 1048576
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1modsecurity-apache
Code:
LoadModule evasive20_module /usr/lib64/httpd/modules/mod_evasive20.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>
LoadModule security_module /usr/lib64/httpd/modules/mod_security.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>Firewall: APF
Again,
Hope this helps you to see the issue in detail. I have also put the latest configurations to keep site going on.
Besides all these details, please let me know for any suggestion you think will be helpful or details you want.
Thank you for your help in advance! Help!
Regards,
Sam
