In my earlier entry I discussed an interesting topic on firewalls and why we don’t need them. I put a small LAMP server to the test and got my results.<\/p>\n
Attack Information:<\/p>\n
Victim A Specifications:<\/p>\n
Here’s what I’ve added to tune the Linux TCP stack in Here’s what I’ve added to the top of my iptables configuration in I repeated the same test on another VM running in a much more powerful Dell 2850 and with no modifications to the kernel or iptables.<\/p>\n Victim B Specifications:<\/p>\n Results:<\/p>\n At this point in time, I couldn’t generate any more SYN packets as I lacked the hardware to do so, but it has given some conclusive results that a reasonably powerful LAMP hardware could take on modest DDoS attacks if configured correctly. I would expect a bare metal hardware with decent CPU performance to hold up much much more than what I’ve tested.<\/p>\n Time to ditch that firewall!<\/p>\n","protected":false},"excerpt":{"rendered":" In my earlier entry I discussed an interesting topic on firewalls and why we don’t need them. I put a small LAMP server to the test and got my results. Attack Information: Type: TCP SYN flood Max performance: 26Kpps (8Mbps)… Continue Reading →<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8],"tags":[114,118,119,123],"class_list":["post-706","post","type-post","status-publish","format-standard","hentry","category-tech","tag-ddos","tag-firewall","tag-iptables","tag-syn-flood"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/comments?post=706"}],"version-history":[{"count":2,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/706\/revisions"}],"predecessor-version":[{"id":708,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/706\/revisions\/708"}],"wp:attachment":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/media?parent=706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/categories?post=706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/tags?post=706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/etc\/sysctl.conf<\/code>:<\/p>\n
\nnet.ipv4.tcp_abort_on_overflow = 1
\nnet.ipv4.tcp_fin_timeout = 15
\nnet.ipv4.tcp_low_latency = 1
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 2048
\nnet.ipv4.tcp_synack_retries = 3
\nnet.ipv4.tcp_sack = 0
\nnet.ipv4.ip_conntrack_max = 65535
\nnet.core.rmem_max = 16777216
\nnet.core.wmem_max = 16777216
\nnet.ipv4.tcp_rmem = 4096 87380 16777216
\nnet.ipv4.tcp_wmem = 4096 65536 16777216
\nnet.ipv4.ip_local_port_range = 1024 65000
\nnet.ipv4.tcp_keepalive_intvl = 15
\nnet.ipv4.tcp_keepalive_probes = 4
\nnet.ipv4.tcp_keepalive_time = 1800
\n<\/code><\/p><\/blockquote>\n\/etc\/sysconfig\/iptables<\/code> as well:<\/p>\n
\n-N SYN
\n-A SYN -m limit --limit 20\/s --limit-burst 50 -j RETURN
\n-A SYN -j DROP
\n-A INPUT -p tcp --syn -j SYN
\n<\/code>
\n* Note: During my testing, I added a log entry before dropping the packet as this floods the logs and kills the CPU and I\/O so I highly discourage doing so.\n<\/p><\/blockquote>\n\n
\n