Linux DDos(SYN Flood)攻击的检测和防范

 
  netstat 工具来检测SYN攻击
  # netstat -n -p -t
  tcp0 0 10.11.11.11:23124.173.152.8:25882 SYN_RECV-
  tcp0 0 10.11.11.11:23236.15.133.204:2577 SYN_RECV-
  tcp0 0 10.11.11.11:23127.160.6.129:51748 SYN_RECV-
  ...
  LINUX系统中看到的,很多连接处于SYN_RECV状态(在WINDOWS系统中是SYN_RECEIVED状态),
  源IP地址都是随机的,表明这是一种带有IP欺骗的SYN攻击。
  # netstat -n -p -t | grep SYN_RECV | grep :80 | wc -l
  324
  查看在LINUX环境下某个端囗的未连接队列的条目数,显示TCP端囗22的未连接数有324个,
  虽然还远达不到系统极限,但应该引起管理员的注意。
  [root@pub wxjsr]# netstat -na | grep SYN_RECV
  tcp 0 0 58.193.192.20:80 221.0.108.162:32383 SYN_RECV
  tcp 0 0 58.193.192.20:80 125.85.118.231:2601 SYN_RECV
  tcp 0 0 58.193.192.20:80 222.242.171.215:2696 SYN_RECV
  tcp 0 0 58.193.192.20:80 116.52.10.51:2629 SYN_RECV
  tcp 0 0 58.193.192.20:80 218.171.175.157:1117
  [root@pub wxjsr]# netstat -na | grep SYN_RECV |wc
   11 66 979
  查看系统SYN相关的配置
  Linux内核提供了若干SYN相关的配置,用命令: sysctl -a | grep syn
  [root@metc apache2]# /sbin/sysctl -a | grep syn
  net.ipv6.conf.default.max_desync_factor = 600
  net.ipv6.conf.all.max_desync_factor = 600
  net.ipv6.conf.eth0.max_desync_factor = 600
  net.ipv6.conf.lo.max_desync_factor = 600
  net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
  net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
  net.ipv4.tcp_max_syn_backlog = 1280
  net.ipv4.tcp_syncookies = 1
  net.ipv4.tcp_synack_retries = 2
  net.ipv4.tcp_syn_retries = 5
  fs.quota.syncs = 18
  防范SYN攻击设置
  #缩短SYN- Timeout时间:
  iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  iptables -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
  #每秒 最多3个 syn 封包 进入 表达为 :
  iptables -N syn-flood
  iptables -A INPUT -p tcp --syn -j syn-flood
  iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
  iptables -A syn-flood -j REJECT
  #设置syncookies:
  sysctl -w net.ipv4.tcp_syncookies=1
  /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3000
  /sbin/sysctl -w net.ipv4.tcp_synack_retries=1
  /sbin/sysctl -w net.ipv4.tcp_syn_retries=1
  sysctl -w net.ipv4.conf.all.send_redirects=0
  sysctl -w net.ipv4.conf.all.accept_redirects=0
  sysctl -w net.ipv4.conf.all.forwarding=0
  /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
  /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # 禁用icmp源路由选项
  /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # 忽略icmp ping广播包,应开启
  /sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1 # 忽略所有icmp ping数据,覆盖上一项

你可能感兴趣的:(linux,职场,休闲)