Howto Stop SYN Flooding Attack Automatically

Discussion in 'Security' started by usf, Dec 28, 2010.

  1. #1
    Hello, Is there any way to block SYN flood attack automatically with out any down time. I have apf but its not working to stop SYN flood. Please suggest some thing that automatically block SYN Flooding.
     
    Last edited: Dec 28, 2010
    usf, Dec 28, 2010 IP
  2. jarrodw

    jarrodw Peon

    Messages:
    31
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    What ports is the flood coming in on? Yes, there is a reason I ask.
     
    jarrodw, Dec 30, 2010 IP
  3. usf

    usf Active Member

    Messages:
    53
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    91
    #3
    on port 80
     
    usf, Dec 30, 2010 IP
  4. jarrodw

    jarrodw Peon

    Messages:
    31
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Hey USF.

    The first thing I would do is contact your host. Do it now. They can possibly have the IP null routed upstream. This is the first step.

    Since your site is probably running on port 80 there is no way to do this without downtime. If you do not want to use the bandwidth I would drop the TTL on your DNS records, and move the site to a different host for a while. This will cause downtime. The best thing to do is report him to your hosting company. They can possibly look into black holing him.

    If you need help creating a disaster recover site that you can fail over to when things like this happen PM me. My rates are cheap.
     
    jarrodw, Dec 30, 2010 IP
  5. usf

    usf Active Member

    Messages:
    53
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    91
    #5
    Thank you very much
     
    usf, Dec 30, 2010 IP
  6. jarrodw

    jarrodw Peon

    Messages:
    31
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Is the attack distributed or is it coming from a single network?
     
    jarrodw, Dec 30, 2010 IP
  7. usf

    usf Active Member

    Messages:
    53
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    91
    #7
    its different with different ips
     
    usf, Dec 30, 2010 IP
  8. jarrodw

    jarrodw Peon

    Messages:
    31
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Well, you are under a DDOS attack. Report him to your host. You could possibly look into blocking the ip's with iptables if they are limited to oly a few different IP's but this will probably not work if he has a lot of nodes in his DDOS network.
     
    jarrodw, Dec 30, 2010 IP
  9. Abigale

    Abigale Peon

    Messages:
    36
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Make sure you have an unlimited IP banlist. Dont make it limited to only a few IPs. Also limit the connections per IP!
     
    Abigale, Jan 4, 2011 IP
  10. panteng

    panteng Peon

    Messages:
    46
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    please install snort and base in your server computer
     
    panteng, Jan 12, 2011 IP
  11. jarrodw

    jarrodw Peon

    Messages:
    31
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Snort will not solve this problem. You need to have snort installed, configured properly with snortsam or as an IPS system first. He also needs to know how to do this properly. Just installing snort and walking away will do nothing.
     
    jarrodw, Jan 12, 2011 IP
  12. lucccy

    lucccy Guest

    Messages:
    111
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    if the problem persists get a DDOS Protection
    google also for DDoS Mitigation
     
    lucccy, Jan 14, 2011 IP