possible SYN flooding on port 1935. Sending cookies.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
possible SYN flooding on port 1935. Sending cookies.
I am running a bunch of Centos servers with some media applications and I keep getting what I think is a DDOS attacks. I have the enabled tcp_syncookies and the problem still exists
My iptables is setup to block everything that isn't necessary as far as I know but we need to allow incoming information on port 1935 and that is where it is happening.
Is there anything we can do to fix this issue or at least stop my machine from crashing and going down because of this
Is there an easy way or log file to check to find out what IP its coming from and then what is the process to ban that ip or range? Sorry for the probably really simple question this is pretty new to me
To add to this, traffic that comes on this port can be wordwide, its just users accessing a program... so with that in mind I could block the IP from this attack once I find it but I don't want to limit any legitimate users.
Last edited by 007stealth; 09-06-2013 at 11:54 AM.
I am running a bunch of Centos servers with some media applications
What "media applications" exactly?
Quote:
Originally Posted by 007stealth
My iptables is setup to block everything that isn't necessary as far as I know but we need to allow incoming information on port 1935 and that is where it is happening.
Does the application only require that port? And post output from this please:
Code:
iptables-save
That may help us help you write appropriate rules.
It is a wowza media server actually, which the default port is 1935 for streaming... I am wondering if there is a way to limit traffic so these mass amounts will be dropped but not normal traffic. Below is my iptables-save command for review. The other option is to potentially change port 1935 if you think that would help.
# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*nat
:PREROUTING ACCEPT [6389:823552]
:POSTROUTING ACCEPT [1587:651103]
:OUTPUT ACCEPT [1587:651103]
COMMIT
# Completed on Sat Sep 7 13:25:21 2013
# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*mangle
:PREROUTING ACCEPT [88609432:34866104895]
:INPUT ACCEPT [88607125:34865599695]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92757422:180810014794]
:POSTROUTING ACCEPT [92757422:180810014794]
COMMIT
# Completed on Sat Sep 7 13:25:21 2013
# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*filter
:INPUT DROP [1289:120704]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [92757422:180810014794]
-A INPUT -s (source IP) -p udp -m udp --dport 1934 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -s (Source IP) -p tcp -m tcp --dport 8085 -j ACCEPT
-A INPUT -s (source IP) -p tcp -m tcp --dport 8084 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
COMMIT
# Completed on Sat Sep 7 13:25:21 2013
Thank you thats awesome hopefully that will stop all issues we are having I really appreciate it. One question though it won't let me add the rule with two ports being specified, should I just take out the second --dport 1935 after the --syn?
It might not but at least now you've got an early warning if connections reach the threshold. Might need adjustment or exclusions if you have a busy server or if you encounter mass requests from one IP address. May be difficult to gauge what actually would be legitimate proxy users.
Quote:
Originally Posted by 007stealth
should I just take out the second --dport 1935 after the --syn?
Yes, my mistake. I'll edit it out of my previous post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.