Jump to content
aelius

Minimizarea efectelor atacurilor SYN pe Linux

By aelius, in Tutoriale in romana

Recommended Posts

aelius Grand Master

aelius

Posted
Posted (edited)

O sa incep acest tutorial cu o nota: Nu exista protectie DoS/DDoS absoluta. Toate sistemele de protectie impotriva atacurilor de acest gen nu fac decat sa inlature efectele negative si sa permita serviciilor sa fie accesibile pana la un anumit nivel.

Mai jos va prezint un script util pentru minimizarea efectelor atacurilor SYN FLOOD. Aveti in vedere sa mariti “la nesimtire” urmatorii parametrii sysctl.

- net.ipv4.tcp_max_syn_backlog

- net.core.somaxconn

- net.ipv4.tcp_max_tw_buckets


#!/bin/sh

active() {
        echo "---------------------------------------------"
        echo "Enabling syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=3
        sysctl -w net.ipv4.tcp_synack_retries=3
        sysctl -w net.ipv4.tcp_keepalive_intvl=30
        sysctl -w net.ipv4.tcp_keepalive_probes=5
        sysctl -w net.ipv4.tcp_keepalive_time=1200
        sysctl -w net.ipv4.tcp_wmem="8192 32536 16777216"
        sysctl -w net.ipv4.tcp_rmem="8192 16536 16777216"
        echo "---------------------------------------------"
        return 0
}

aggresive() {
        echo "---------------------------------------------"
        echo "Enabling aggresive syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=1
        sysctl -w net.ipv4.tcp_synack_retries=1
        sysctl -w net.ipv4.tcp_keepalive_intvl=5
        sysctl -w net.ipv4.tcp_keepalive_probes=1
        sysctl -w net.ipv4.tcp_keepalive_time=10
        sysctl -w net.ipv4.tcp_wmem="3192 6536 16000"
        sysctl -w net.ipv4.tcp_rmem="3192 6536 16000"
        echo "---------------------------------------------"
        return 0
}

default() {
        echo "---------------------------------------------"
        echo "Disabling syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=5
        sysctl -w net.ipv4.tcp_synack_retries=5
        sysctl -w net.ipv4.tcp_keepalive_intvl=75
        sysctl -w net.ipv4.tcp_keepalive_probes=9
        sysctl -w net.ipv4.tcp_keepalive_time=7200
        sysctl -w net.ipv4.tcp_wmem="16192 65536 16777216"
        sysctl -w net.ipv4.tcp_rmem="16192 65536 16777216"
        echo "---------------------------------------------"
        return 0
}

case "$1" in
  start)
     active
     ;;
  stop)
     default
     ;;
  aggresive)
     aggresive
     ;;
  *)
     echo "Folosire: $0 {start|stop|aggresive}"
     exit 1

esac

exit 0

Edited by aelius
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...