Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to stop SYN_SENT?

Tags:

Running netstat is showing hundreds of this line, even after rebooting the server — it starts sending again, causing many connections to that IP.

tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT 

I stopped all scripts, but it still keeps trying.

I know this means the IP is not responding to SYN_SENT but how can I stop those SYN_SENT? Or what is the best solution to this?

Thanks.

like image 375
EGN Avatar asked Jul 30 '12 21:07

EGN


People also ask

What does Syn_sent mean in netstat?

“SYN_SENT” signifies that local client has initiated a TCP socket to connect to a server socket. If acknowledged by the server, the client socket state will proceed to ESTABLISHED. “Established” state confirms end to end transport layer between local host and remote server or endpoint is complete.

What is SYN sent?

SYN-SENT (or SYN) is a Packet within the Transmission Control Protocol (TCP) where the client having sent a connection request to the server and is waiting for the Server's SYN-ACK response.


1 Answers

This question seems to be getting many views but yet no answer, so I decided to answer my own question for anyone looking for a solution.

First thing first, knowing the reason is half of the solution. I was under what is called SYN Flooding Attack which uses HTTP protocol behavior against itself

The short of it is, remote client tries to establish a connection with your server by sending SYN, your server replies with SYN_ACK (in your logs you will see SYN_SENT) and will wait until it receives ACK. If ACK is not received within xx seconds, your server will send SYN_ACK again, .... and again.... and again. It will eventually reach the configured threshold and stop accepting any more SYN request making your server unresponsive. One of the symptoms which happened to me was that my website was responding once like nothing is wrong but not responding in the next xx times.

HTTP Protocol SYN

The solution that worked for me was enabling SYN cookies, SSH into your server, open the following file using your favorite editor. I'm using vi in this example

vi /etc/sysctl.conf 

And add these lines to the file, then restart your server. Hopefully this will stop the attack as it did for me

net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 3 

I was using CentOS, I think the above solution will work on all distributions but in case it didn't search for "How to stop SYN Flooding Attack" for your linux distribution

On a side note, blocking the IPs initiating the SYN requests will probably not help because most likely the attacker has spoofed the IPs

like image 183
EGN Avatar answered Oct 26 '22 08:10

EGN