SYNPROXY doesn't seem to be running

Question

I have attempted to create iptables rules to prevent my server connections limit to be filled up with in-completed SYN packets for which no ACK packet is returned by the client (SYN flood attack).

I have read the [RFC 4987 TCP SYN Flooding Attacks and Common Mitigations][1] and [Mitigate TCP SYN Flood Attacks with Red Hat Enterprise Linux 7 Beta][2] and finally tried to follow the instructions [here][3]: https://javapipe.com/blog/iptables-ddos-protection/

However, my site is still easily taken down with a DOS attack using the following command:

hping -S --flood -V -p 443 www.mydomain.com

At the end of the tutorial from Javapipe.com linked above, the command is mentioned to tell whether SYNPROXY is active or not.

To verify that SYNPROXY is working, you can do watch -n1 cat /proc/net/stat/synproxy. If the values change when you establish a new TCP connection to the port you use SYNPROXY on, it works.

The command is:

watch -n1 cat /proc/net/stat/synproxy

When I use that command on my server and try to load a page, the data does not change and is all zeros.

Every 1.0s: cat /proc/net/stat/synproxy                                                                                                      Thu Jul 25 19:57:00 2019

entries         syn_received    cookie_invalid  cookie_valid    cookie_retrans  conn_reopened
00000000        00000000        00000000        00000000        00000000        00000000

Here is the output of iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
REJECT     tcp  --  anywhere             anywhere             #conn src/32 > 80 reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW limit: avg 20/sec burst 20
DROP       tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:RST/RST limit: avg 2/sec burst 2
DROP       tcp  --  anywhere             anywhere             tcp flags:RST/RST
DROP       all  --  anywhere             anywhere             ctstate INVALID
SYNPROXY   tcp  --  anywhere             anywhere             tcp ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460 
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             state INVALID

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (1 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (1 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (1 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

The server is a VPS with Digital Ocean running Centos 7.6, Kernel: 3.10.0-862.2.3.el7.x86_64

Can anyone help explain why SYNPROXY may not be running, or else, why / how to protect my server from SYN flooding?

Can you provide more information about your server? Is it a dedicated box, a virtual machine, what version of Linux kernel, what version of your Linux distribution, output of `iptables -l`, etc? — Joel C, Jul 25 '19 at 19:56
I have added those things to the OP just now. You may notice that I have altered some of the rules from Javapipe tutorial, but the posted info are the current rules. — I'm Root James, Jul 25 '19 at 20:02

SYNPROXY doesn't seem to be running

0 Answers0