Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:mitigating_syn_floods [2014/06/24 18:25]
Michael Armstrong
— (current)
Line 1: Line 1:
-===== Mitigating SYN Floods ===== 
  
-Defending against SYN floods and other TCP-level attacks is a matter of hardening your kernel. It is not something LiteSpeed Web Server or any other HTTP server can deal with. (For an explanation of how SYN floods work and why they are not related to your HTTP server, please see [[http://​blog.litespeedtech.com/?​p=926|this blog article]]. This wiki will assume you understand SYN floods and the TCP handshake.) That being said, here are some simple steps for hardening your Linux kernel: 
- 
-==== 1. Turn on syncookies ==== 
- 
-In ''/​etc/​sysctl.conf''​ add 
- 
-<​code>​net.ipv4.tcp_syncookies = 1</​code> ​ 
- 
-Syncookies allows your system to serve more TCP connection requests. Instead of logging each TCP connection request and waiting for a response, the system will instead send a cookie with its SYN-ACK response and delete the original SYN message. Any ACK response the system receives from the client will then contain information about this cookie, allowing the server to recreate the original entry. ''​1''​ enables this feature, ''​0''​ disables it. This setting is off by default. 
- 
-==== 2. Set your backlog limit ==== 
- 
-In ''/​etc/​sysctl.conf''​ add 
- 
-<​code>​net.ipv4.tcp_max_syn_backlog = 2048</​code>​ 
- 
-This setting tells the system when to start using syncookies. When you have more than 2,048 (or whatever number you set it to) TCP connection requests in your queue, the system will start using syncookies. Keep this number pretty high to prevent from using syncookies with normal traffic.(Syncookies can be taxing for the CPU.) 
- 
-==== 3. Lower the number of SYN-ACK retries ==== 
- 
-In ''/​etc/​sysctl.conf''​ add 
- 
-<​code>​net.ipv4.tcp_synack_retries = 3</​code>​ 
- 
-This setting tells your system how many times to retry sending the SYN-ACK reply before giving up. The default is ''​5''​. Lowering it to ''​3''​ essentially lowers the turnaround time on a TCP connection request to about 45 seconds. (It takes about 15 seconds per attempt.) 
- 
-==== 4. Apply these changes now ==== 
- 
-The changes above will not take effect until you reboot. To apply them now, use 
- 
-<​code>​echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies 
-echo 2048 > /​proc/​sys/​net/​ipv4/​tcp_max_syn_backlog 
-echo 3 > /​proc/​sys/​net/​ipv4/​tcp_synack_retries</​code>​ 
- 
-Doing only the above echo commands without altering ''/​etc/​sysctl.conf''​ will mean that the changes will be lost next time you reboot. 
  • Admin
  • Last modified: 2014/06/24 18:25
  • by Michael Armstrong