Hardening Linux Against SYN Flood & DDoS: sysctl, iptables & DDoS Deflate

Background

Virtual‑hosting providers often suffer SYN flood and DDoS attacks that exhaust connection queues or overload network bandwidth, leading to service interruptions. While hardware firewalls are costly, Linux’s built‑in firewall and kernel settings can mitigate many of these threats.

Using sysctl to mitigate SYN attacks

First, list current IPv4 SYN‑related settings: sudo sysctl -a | grep ipv4 | grep syn Typical output includes net.ipv4.tcp_max_syn_backlog, net.ipv4.tcp_syncookies, net.ipv4.tcp_synack_retries and net.ipv4.tcp_syn_retries. Increase the backlog, enable SYN cookies, and reduce retry counts by adding the following lines to /etc/sysctl.conf and reloading with sysctl -p:

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
net.ipv4.sack = 0

iptables rules

Use iptables to drop traffic from suspicious IPs and to limit the rate of SYN packets or ICMP echo requests. Example commands:

# Drop traffic from a specific IP
iptables -A INPUT -s 221.238.196.83 -p tcp -j DROP

# Limit incoming SYN packets to 1 per second
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Limit ICMP echo‑request (ping) floods
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Note that rate‑limiting does not stop spoofed SYN‑FLOOD attacks, but it helps mitigate legitimate scanning and low‑volume floods.

DDoS Deflate

DDoS‑deflate is a free script that monitors network connections via netstat and automatically bans IPs that exceed a configurable threshold using iptables or APF.

# Install
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

The default configuration file /usr/local/ddos/ddos.conf contains key parameters:

FREQ=1                     # check interval in minutes
NO_OF_CONNECTIONS=150      # connections considered abusive
APF_BAN=1                  # use APF (set to 0 to use iptables)
KILL=1                     # actually block the IPs
EMAIL_TO="root"           # email notification address
BAN_PERIOD=600             # block duration in seconds

Useful command‑line options:

/usr/local/ddos/ddos.sh -h          # show help
/usr/local/ddos/ddos.sh -k 200      # kill connections >200
/usr/local/ddos/ddos.sh -c          # create cron job according to config

Monitoring with nginx logs

Configure a detailed log format to capture client IPs and user‑agents, then inspect the log for repeated requests:

log_format access '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" $http_x_forwarded_for';
access_log /usr/local/nginx/logs/access.log access;

Identify abusive IPs (e.g., many connections from the same address) and block them with iptables:

iptables -A INPUT -s 202.195.62.113 -j DROP

Identifying malicious user agents

Attackers often use outdated browsers as fingerprints. You can view the user‑agent string of a client via a simple JavaScript bookmarklet:

javascript:alert(navigator.userAgent)

Common malicious agents observed include variations of "MSIE 5.01" and other old Internet Explorer strings that indicate automated scanning tools.