Forum Moderators: phranque
My server is under Syn attack. I use WHM/Cpanel on Apache 2.2.6.
How to prevent this? I have done that tcp_syncookie thing (already done at system boot as its in my sysctl.cnf file) but that doesnt help at all.
I cannot afford Cisco guard or some expensive hardware firewall.
And I already have mod_evasive and (d)dos_deflate installed from medialayer. Plus, I have Configserver firewall (csf/LFD) with syn blocking enabled.
None of this is working. My server load is huge. I've tweaked the MaxClients down several times, now at 200.
Any other ideas? (The search here yielded nothing, only 8 threads, none of which are informative).
Thanks!
Are you certain that your kernel supports Syn Cookies *and* that they are correctly enabled?
What kind of server is this? Can you easily increase system resources e.g. add more memory?
Did the system run at a high load before the attack?
and what syn attack are you talking about ?
Router is Cisco 2600. What should I tell my hosting provider about hardening?
It's a dual core2duo server with 4GB ram. Has been working like a charm until recently. The system ran without any problems!
My concern is: with all the stuff I have (mod_evasive, ddos_deflate, CSF/LFD syn protection) why is it all so useless?
I'm talking about SYN flood. Don't know what exact kind. Let me know how to find out.
with all the stuff I have (mod_evasive, ddos_deflate, CSF/LFD syn protection) why is it all so useless?
I'll be blunt: if you don't know exactly what kind of attack you're (allegedly) under, how can you know what countermeasures would be appropriate, much less judge whether the countermeasures you (think you) have deployed are being effective?
I'm not trying to imply you're out of your depth, but saying "it's a SYN flood", but then saying "I don't know what kind of SYN flood" looks like you're not yet in a position to respond appropriately.
Why do you think you're under attack? What are the exact symptoms? Why do you think it's a SYN flood? What have you tried so far?
Did your provider say "Your server is down because you're under SYN flood attack"? Perhaps you need to ask them what they suggest doing? If they can't/won't suggest anything, perhaps it's time to find a better provider.
Keeping a website online and available if the bad guys want to take you down is not easy or cheap. Assuming you're in a serious fight with the bad guys, do you have the resources to win it?
Can you tell us a bit more about the kind of site and the technology powering it? e.g. "Mostly static content, Apache2" or "Large forum-based site, PHPBB / MySQL / Apache2".
