0

When being under SYN flood attack, my CPU reach to 100% in no time by the kernel proccess named ksoftirqd, I tried so many mitigations but none solve the problem.

This is my sysctl configurations returned by the sysctl -p:

net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
fs.file-max = 10000000
fs.nr_open = 10000000
net.core.somaxconn = 128
net.core.netdev_max_backlog = 2500
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_tw_reuse = 1
net.netfilter.nf_conntrack_max = 10485760
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15
vm.swappiness = 10
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_synack_retries = 1

Even after activating the Syn cookies, the CPU stays the same, The Listen queue of port 443 (the port under attack) is showing 512 SYN_RECV, which is the default backlog limit set by the NGINX.

Which is also wired because the SOMAXCONN is set to a much lower value than 512 (128), so how does it exceed that limit? SOMAXCONN needs to be the upper boundary for every socket listen and its not..

I read so much and I'm confused, As far as I understood the SOMAXCONN is the backlog size for both LISTEN and ACCECPT queues, so what exactly is the tcp_max_syn_backlog? And how do I calculate each queue size?

I also read that SYN cookies does not activate immediately, but only after reaching the tcp_max_syn_backlog size, is that true? And if so, it means its value needs to be lower than the SOMAXCONN..

I tried even activating tcp_abort_on_overflow when being under attack but nothing changed, if its true that the SYN coockies is activate on overflow, applying them togerther result what?

I have 3 gigs of ram that is using only 700MB, my only problem is the CPU load

iTaMaR
  • 189
  • 2
  • 10
  • SYN cookies are useless against a SYN flood attack, they solve other problems. The only real way to survive a SYN flood is to have enough resources to withstand it. – Marco Bonelli Mar 21 '21 at 05:57
  • I tried adding more CPU, but every time I did I always reach 100%. I think its a matter of config too, I will gladly add resources if thats what needed, but as I said it appears that too much CPU is given to this flood and something else must be done.. – iTaMaR Mar 21 '21 at 12:00
  • Probably you are in the wrong site. This is about programming. You may need to check our sister sites (check top right icon for the list/links): about security or about servers. – Giacomo Catenazzi Mar 22 '21 at 12:29
  • https://superuser.com/ sounds like it – eftshift0 Mar 22 '21 at 16:28

0 Answers0