[TriLUG] Detecting SYN Floods with IPTables?

Glen Ford gford at idiom.com
Wed Feb 18 09:16:26 EST 2004 

Jeff Bollinger wrote:

> I'm working on an issue where a user suspects an irregular but 
> reoccurring SYN flood against a server (i.e. thousands of connections 
> with only the SYN flag set -- never closed or ACKd)
>
> I'm thinking I should be able to passively watch traffic to this host 
> (mirror port) and use the IPTables 'LOG' function to note this type of 
> attack to determine the source host (attacker).  Before I implement my 
> sniffer, is this the proper SYNtax (sorry ;) for what I'm trying to do:
>
> IPTABLES -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD"
>
> I've searched around, but reading the above makes me think that it 
> will log *every* proper TCP connection  (i.e. all that begin with a 
> SYN). Should I be using the --state flag, and if so, what attribute 
> (NEW, ESTABLISHED, INVALID, RELATED)???
>
> Thanks!
> Jeff
>
Below might work for you.

/glen


    # SECTION FOR WHAT IS ALLOWED ON THE INPUT CHAIN
    # ----------------------------------------------------------------

    # Check if this is a "good" IP packet, i.e., have seen the SYN
    iptables -A INPUT -j generic_drops

    #    Check for any tcp or udp established connection
    #    The packet is accepted or dropped, there is no return
    iptables -A INPUT -j established


## Allowed established connections
    iptables -N established
    iptables -A established -p tcp -m state --state ESTABLISHED,RELATED 
-j ACCEPT
    iptables -A established -p tcp -j LOG --log-prefix "(drop-tcp)"
    iptables -A established -p tcp -j DROP
    iptables -A established -p udp -m state --state ESTABLISHED,RELATED 
-j ACCEPT
    iptables -A established -p udp -j LOG --log-prefix "(drop-udp)"
    iptables -A established -p udp -j DROP




    # ----------------------------------------------------------------
        # SECTION FOR GENERIC DROPS w/wo LOGGING
        # ----------------------------------------------------------------
        iptables -N generic_drops
    iptables -A generic_drops -p tcp ! --syn -m state --state NEW -j LOG 
--log-prefix "DROP(no-syn)"
    iptables -A generic_drops -p tcp ! --syn -m state --state NEW -j DROP


-- 
Glen Ford
gford at idiom.com

More information about the TriLUG mailing list