All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cpanel SYN FLOOD limit
Hi,
We are receiving SYN attack in WHM cpanel server. that's why we have limited sync flood limit using csf and added rules in sysctl.conf in order to prevent sync attack. But we are facing some issues in our client domains. Their domains are down and up randomly.
So we have stopped csf and then checked,those domains are loading fine.
Some one know about this issue? what we can do resolve this ?
Also what is preferred sync flood and UDP flood limit for WHM cpanel server?
csf syncflood settings
SYNFLOOD_RATE = "10/s"
SYNFLOOD_BURST = "10"
IP table rules
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix Firewall: *TCP_IN Blocked* ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefixFirewall: UDP_IN Blocked '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: ICMP_IN Blocked '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (206 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix Firewall: *TCP_OUT Blocked* ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefixFirewall: UDP_OUT Blocked '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: ICMP_OUT Blocked '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain PORTFLOOD (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: Port Flood '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SYNFLOOD (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 75/sec burst 25
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: SYNFLOOD Blocked '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain UDPFLOOD (1 references)
target prot opt source destination
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 owner UID match 25
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 owner UID match 0
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 75/sec burst 25
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: UDPFLOOD '
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Sysctl.conf entries
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_synack_retries = 3
net.ipv4.conf.all.rp_filter = 5
net.ipv4.conf.lo.rp_filter = 5
net.ipv4.conf.eth0.rp_filter = 5
net.ipv4.conf.default.rp_filter = 5
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=50
Thanks
Comments
Sounds like you accidentally blocked all TCP traffic whenever you receive more than 75 packets per second.
Hello jackb,
Thanks for your answer
Presently we have step below SYNC FLOOD limit in csf configuration.
SYNFLOOD_RATE = "75/s" SYNFLOOD_BURST = "10"
It will allow maximum 75 SYN connections per second in per IP.
Do you mean this limit block all TCP connection when reaching 75 connections per second? If yes, We have limit sync connection only..then how its blocked all TCP connections?
Check this link:- http://saralinux.blogspot.com/2014/01/protecting-your-linux-server-from-syn.html