How to mitigate TCP SYN Flood attack and resolve it on Linux

How to mitigate TCP SYN Flood attack and resolve it on Linux

TCP SYN flood is a one type of DDoS (Distributed Denial of Service) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

With SYN flood DDoS, the attacker sends TCP connection requests faster than the targeted machine can process them.

A normal TCP between a client and server establish three-way handshake, the process is looks like this:

  1. On first connection, client request connection by sending SYN (synchronize) packet to the server
  2. Then server send responds to that initial packet with a SYN/ACK packet, in order to acknowledge client and server communication
  3. Client responds with an ACK (acknowledge) message, and the connection is established.
TCP normal connection
TCP normal connection

You can read more about TCP SYN Flood on https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

How to mitigate your server is under SYN flood attact:

Command below is counting how much SYN_RECV connection:

Below is sample our server is under “small” SYN flood attact

TCP SYN Flood Attact
TCP SYN Flood Attact
Number of TCP SYN Flood Attact
Number of TCP SYN Flood Attact

Many people don’t use optimized kernel settings to better mitigate the effects of DDoS attacks.

We have tried many settings of sysctl.conf , but not one work or not lucky yet until found this settings.

This is CentOS 7 kernel settings that we working.

Edit /etc/sysctl.conf file with code below.

Please note on vm.swappiness=0, we don’t need to use Swap, because our server has 256 GB.

To apply setting on /etc/sysctl.conf without restart, use command below.

When we under TCP SYN flood attact and we apply /etc/sysctl.conf setting, SYN Flood attact number decrease.

TCP SYN Flood attact resolved

TCP SYN Flood connection will make very high connection on Nginx.

We can check on netdata, about 7.226 active connections on Nginx, with only 90 connection per second.

This condition make slow down Nginx respons.

SYN Flood will make high active connection on Nginx
SYN Flood will make high active connection on Nginx

After we apply sysctl.conf, active connection decrease.

Nginx active connections decrease after Sysctl applied
Nginx active connections decrease after Sysctl applied

Leave a Reply

Your email address will not be published. Required fields are marked *