Wiki
 

Mitigating SYN Floods

Defending against SYN floods and other TCP-level attacks is a matter of hardening your kernel. It is not something LiteSpeed Web Server or any other HTTP server can deal with. (For an explanation of how SYN floods work and why they are not related to your HTTP server, please see this blog article. This wiki will assume you understand SYN floods and the TCP handshake.) That being said, here are some simple steps for hardening your Linux kernel:

1. Turn on syncookies

In /etc/sysctl.conf add

net.ipv4.tcp_syncookies = 1

Syncookies allows your system to serve more TCP connection requests. Instead of logging each TCP connection request and waiting for a response, the system will instead send a cookie with its SYN-ACK response and delete the original SYN message. Any ACK response the system receives from the client will then contain information about this cookie, allowing the server to recreate the original entry. 1 enables this feature, 0 disables it. This setting is off by default.

2. Set your backlog limit

In /etc/sysctl.conf add

net.ipv4.tcp_max_syn_backlog = 2048

This setting tells the system when to start using syncookies. When you have more than 2,048 (or whatever number you set it to) TCP connection requests in your queue, the system will start using syncookies. Keep this number pretty high to prevent from using syncookies with normal traffic.(Syncookies can be taxing for the CPU.)

3. Lower the number of SYN-ACK retries

In /etc/sysctl.conf add

net.ipv4.tcp_synack_retries = 3

This setting tells your system how many times to retry sending the SYN-ACK reply before giving up. The default is 5. Lowering it to 3 essentially lowers the turnaround time on a TCP connection request to about 45 seconds. (It takes about 15 seconds per attempt.)

4. Apply these changes now

The changes above will not take effect until you reboot. To apply them now, use

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

Doing only the above echo commands without altering /etc/sysctl.conf will mean that the changes will be lost next time you reboot.

 
litespeed_wiki/mitigating_syn_floods.txt · Last modified: 2014/06/24 14:25 by Michael Armstrong