phelum
Posts: 72
Joined: Thu Jul 17, 2014 7:05 am
Location: Sydney, AUS

Troublesome TCP SYNs

Tue Oct 29, 2019 10:08 pm

Hi,

I'm running stretch on a Pi 3B+ with a ZTE H268A router. I'm getting heap of TCP SYNs from maybe 20 IPv4 addresses. My SYN,ACK response is apparently ignored and the Pi does try retransmission which is making things worse.

This Pi is running a web server so I do need port forwarding on the router. I've tried blocking some of the IP addresses both in the router and also using iptables in the Pi. But neither of these seem to have any effect on the SYN packets.

Does anybody know how I can disable retransmission of the SYN,ACK packets ? Or how to get iptables to ignore SYNs from these addresses ?

Thanks,
Steven

phelum
Posts: 72
Joined: Thu Jul 17, 2014 7:05 am
Location: Sydney, AUS

Re: Troublesome TCP SYNs

Thu Oct 31, 2019 4:49 am

Hi,

In case this helps anyone:

iptables entries can be used to drop SYNs. My block on port 445 shows this when monitoring with wireshark.

To reduce the impact of these SYNs I set /proc/sys/net/ipv4/tcp_synack_retries to 0 (was 5). Now the Pi just sends one ACK to the SYN and then presumably times out and gives up on the connection.

Cheers,
Steven

dave_p
Posts: 28
Joined: Sun Mar 04, 2012 2:11 pm

Re: Troublesome TCP SYNs

Sun Nov 03, 2019 1:10 pm

I've been seeing these for the last week. The source IPs (presumably spoofed) belong to hosting and cloud providers, and each IP sends roughly one SYN per minute. The largest number of different IPs I've seen at one time is 384.

This article suggests a way of automating countermeasures, though facing my experience of a huge number of IPs it would be better to block an entire /24 at a time rather than the individual addresses.

http://unixetc.co.uk/2019/07/02/how-to- ... d-attacks/

Return to “Advanced users”