Minimizarea efectelor atacurilor SYN pe Linux

[aelius]

O sa incep acest tutorial cu o nota: Nu exista protectie DoS/DDoS absoluta. Toate sistemele de protectie impotriva atacurilor de acest gen nu fac decat sa inlature efectele negative si sa permita serviciilor sa fie accesibile pana la un anumit nivel.

Mai jos va prezint un script util pentru minimizarea efectelor atacurilor SYN FLOOD. Aveti in vedere sa mariti “la nesimtire” urmatorii parametrii sysctl.

- net.ipv4.tcp_max_syn_backlog

- net.core.somaxconn

- net.ipv4.tcp_max_tw_buckets

#!/bin/sh

active() {
        echo "---------------------------------------------"
        echo "Enabling syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=3
        sysctl -w net.ipv4.tcp_synack_retries=3
        sysctl -w net.ipv4.tcp_keepalive_intvl=30
        sysctl -w net.ipv4.tcp_keepalive_probes=5
        sysctl -w net.ipv4.tcp_keepalive_time=1200
        sysctl -w net.ipv4.tcp_wmem="8192 32536 16777216"
        sysctl -w net.ipv4.tcp_rmem="8192 16536 16777216"
        echo "---------------------------------------------"
        return 0
}

aggresive() {
        echo "---------------------------------------------"
        echo "Enabling aggresive syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=1
        sysctl -w net.ipv4.tcp_synack_retries=1
        sysctl -w net.ipv4.tcp_keepalive_intvl=5
        sysctl -w net.ipv4.tcp_keepalive_probes=1
        sysctl -w net.ipv4.tcp_keepalive_time=10
        sysctl -w net.ipv4.tcp_wmem="3192 6536 16000"
        sysctl -w net.ipv4.tcp_rmem="3192 6536 16000"
        echo "---------------------------------------------"
        return 0
}

default() {
        echo "---------------------------------------------"
        echo "Disabling syn flood protection ...."
        sysctl -w net.ipv4.tcp_syn_retries=5
        sysctl -w net.ipv4.tcp_synack_retries=5
        sysctl -w net.ipv4.tcp_keepalive_intvl=75
        sysctl -w net.ipv4.tcp_keepalive_probes=9
        sysctl -w net.ipv4.tcp_keepalive_time=7200
        sysctl -w net.ipv4.tcp_wmem="16192 65536 16777216"
        sysctl -w net.ipv4.tcp_rmem="16192 65536 16777216"
        echo "---------------------------------------------"
        return 0
}

case "$1" in
  start)
     active
     ;;
  stop)
     default
     ;;
  aggresive)
     aggresive
     ;;
  *)
     echo "Folosire: $0 {start|stop|aggresive}"
     exit 1

esac

exit 0

Edited January 11, 2012 by aelius