Running netstat
is showing hundreds of this line, even after rebooting the server — it starts sending again, causing many connections to that IP.
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
tcp 0 1 server1700.skdedicate:36283 154.45.206.59:https SYN_SENT
I stopped all scripts, but it still keeps trying.
I know this means the IP is not responding to SYN_SENT
but how can I stop those SYN_SENT
? Or what is the best solution to this?
Thanks.
This question seems to be getting many views but yet no answer, so I decided to answer my own question for anyone looking for a solution.
First thing first, knowing the reason is half of the solution. I was under what is called SYN Flooding Attack which uses HTTP protocol behavior against itself
The short of it is, remote client tries to establish a connection with your server by sending SYN, your server replies with SYN_ACK (in your logs you will see SYN_SENT) and will wait until it receives ACK. If ACK is not received within xx seconds, your server will send SYN_ACK again, .... and again.... and again. It will eventually reach the configured threshold and stop accepting any more SYN request making your server unresponsive. One of the symptoms which happened to me was that my website was responding once like nothing is wrong but not responding in the next xx times.
The solution that worked for me was enabling SYN cookies, SSH into your server, open the following file using your favorite editor. I'm using vi in this example
vi /etc/sysctl.conf
And add these lines to the file, then restart your server. Hopefully this will stop the attack as it did for me
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
I was using CentOS, I think the above solution will work on all distributions but in case it didn't search for "How to stop SYN Flooding Attack" for your linux distribution
On a side note, blocking the IPs initiating the SYN requests will probably not help because most likely the attacker has spoofed the IPs