Hacking tips / Linux / Networking

Defending Against TCP SYN Flood Attacks

spyboy's avatarPosted by

In this tutorial, we’ll guide you through setting up basic defenses against TCP SYN flood attacks on a Linux server using firewall rules. While this is just one aspect of network security, it’s an essential step in protecting your server from DDoS attacks.

Prerequisites

  • A Linux server (e.g., Ubuntu, CentOS)
  • Administrative access (root or sudo privileges)

Step 1: Update Your System

It’s essential to start with a well-maintained system. Update your server’s package list and upgrade installed packages:

sudo apt update
sudo apt upgrade

Step 2: Install a Firewall

If you don’t have a firewall installed, you can use ufw (Uncomplicated Firewall) on Ubuntu. For other distributions, you might use iptables or another firewall tool.

sudo apt install ufw

Step 3: Enable the Firewall

Enable the firewall:

sudo ufw enable

Step 4: Create Firewall Rules

Now, let’s create rules to protect your server from SYN flood attacks. We will set some basic rate limits to control incoming connections.

# Allow SSH traffic (adjust the port if needed)
sudo ufw allow 22/tcp

# Allow established connections
sudo ufw allow in on eth0 from any to any state RELATED,ESTABLISHED

# Limit the number of new connections per second (adjust values as needed)
sudo ufw limit in on eth0 to any port 80

The last rule limits incoming connections on port 80 (HTTP) to a reasonable rate, preventing SYN flood attacks on your web server.

Step 5: Enable the Firewall Rules

Enable the newly added rules:

sudo ufw enable

Step 6: Check Firewall Status

Ensure the rules are correctly applied:

sudo ufw status

You should see the rules you added listed.

Step 7: Test the Configuration

To test your firewall and SYN flood protection, you can use a tool like hping3 to simulate SYN flood attacks.

# Install hping3
sudo apt install hping3

# Simulate a SYN flood attack on your server's IP and port 80
sudo hping3 -S --flood -p 80 <your_server_ip>

The firewall rules should limit the number of incoming SYN packets, making it difficult for the attack to overwhelm your server.

Conclusion

While this tutorial provides a basic defense against SYN flood attacks using firewall rules, real-world network security measures should be more comprehensive. Additionally, consider using specialized DDoS protection services, intrusion detection systems, and other security measures to enhance your server’s protection. Network security is an ongoing process that requires regular updates and adjustments to address evolving threats.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.