3

A recent article from UNIXy http://blog.unixy.net/2010/08/the-penultimate-guide-to-stopping-a-ddos-attack-a-new-approach/ has suggestions to harden a Linux box against DDoS attacks.

Example of sysctl.conf

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

kernel.pid_max = 65536

net.ipv4.ip_local_port_range = 9000 65000

Any other recommendations for hardening Linux against DDoS attacks?

EEAA
  • 109,363
  • 18
  • 175
  • 245
Eureka Ikara
  • 309
  • 5
  • 11

2 Answers2

1

You can also turn down the read/write socket buffers as well, which would decrease the amount of memory each inbound connection requires.

http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php

You'll have to actually test it out for your application and your hardware (yes, those settings can cause weird side effects depending on your NIC), since you may break more than you save depending on your traffic flow.

James Cape
  • 1,067
  • 8
  • 16
  • 1
    Thanks. The article references the TCP Tuning Guide at US Department of Energy site that also gives good background. I also found another useful Linux hardening article here http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/ – Eureka Ikara Nov 24 '10 at 10:24
0

You could set the following as well.

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1

# Don't pass traffic between networks or act as a router
net.ipv4.ip_forward=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1

# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

# RFC 1337 fix
net.ipv4.tcp_rfc1337=1

# Addresses of mmap base, heap, stack and VDSO page are randomized
kernel.randomize_va_space=2

# Reboot the machine soon after a kernel panic.
kernel.panic=10
Digital Human
  • 801
  • 6
  • 6