In my earlier entry I discussed an interesting topic on firewalls and why we don’t need them. I put a small LAMP server to the test and got my results.

Attack Information:

  • Type: TCP SYN flood
  • Max performance: 26Kpps (8Mbps)
  • Source IP Spoofing: Yes

Victim A Specifications:

  • VMware Guest on a Single Core Opteron 1.8GHz Sun X2100
  • CentOS 4.x + Apache 2.x
  • 768MB RAM
  • Tuned (see below)

Here’s what I’ve added to tune the Linux TCP stack in /etc/sysctl.conf:


net.ipv4.tcp_abort_on_overflow = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_sack = 0
net.ipv4.ip_conntrack_max = 65535
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_time = 1800

Here’s what I’ve added to the top of my iptables configuration in /etc/sysconfig/iptables as well:


-N SYN
-A SYN -m limit --limit 20/s --limit-burst 50 -j RETURN
-A SYN -j DROP
-A INPUT -p tcp --syn -j SYN

* Note: During my testing, I added a log entry before dropping the packet as this floods the logs and kills the CPU and I/O so I highly discourage doing so.

I repeated the same test on another VM running in a much more powerful Dell 2850 and with no modifications to the kernel or iptables.

Victim B Specifications:

  • VMware Guest on a 2 x Dual Core Xeon 3.2GHz Dell 2850
  • CentOS 5.x + Apache 2.x
  • 256MB RAM
  • No Tuning

Results:

  • Victim A held up to 16Kpps SYN flood (approx 5Mbps) but slowed down a little
  • Victim A held up to respond at 26Kpps SYN flood (approx 8Mbps) but was extremely slow
  • Victim B held up to 26Kpps SYN flood (approx 8Mbps) and did not slow down at all

At this point in time, I couldn’t generate any more SYN packets as I lacked the hardware to do so, but it has given some conclusive results that a reasonably powerful LAMP hardware could take on modest DDoS attacks if configured correctly. I would expect a bare metal hardware with decent CPU performance to hold up much much more than what I’ve tested.

Time to ditch that firewall!