Some DOS/DDOS protection

Bellow I describe how to avoid some denial of service attacks

TCP syn flood attacks

This kind of attack assumes that an attacker is sending syn packets to the server but not any ACK packets, because of this breaking the TCP/IP 3-way handshake

1. /etc/sysctl.conf
# Protection SYN flood

net.ipv4.tcp_syncookies = 1 #answers to any SYN packet
net.ipv4.conf.all.rp_filter = 1 #The arp_filter variable tells the kernel whether the IP address should be bound to a specific ARP address or not
net.ipv4.tcp_max_syn_backlog = 1024  # how many SYN requests to keep in memory that we have yet to get the third packet in a 3-way handshake from (requires net.ipv4.tcp_syncookies = 1)

2. reload the new parameters

sysctl -p

Slowloris like attacks

The attack bears the same name as the animal, slow but poisonous. Basically the DOS attacker sends very SLOW requests to the server, header by header, even character by character. The server reserves the required resources to handle the request but it also waits for the request to finish. As a result it won’t take long until all the apache connections are flooded or server memory consumed.

1. /etc/haproxy/haproxy.cfg

timeout http-request 5s

2. restart haproxy

/etc/init.d/haproxy restart