DDoS (Distributed Denial of Service) Protection - RHEL 7

• Netfilter: iptables target SYNPROXY

• DDoS attacks are increasingly becoming commonplace as more and more products and services become dependent

on delivering services over the Internet.

• SYNPROXY module is designed to protect against common SYN-­floods and ACK-­floods, but can also be adjusted to

protect against SYN-­ACK floods.

• Works by filtering out false SYN-­ACK and ACK packets before the socket enters the “listen” state lock (otherwise

preventing new incoming connections)

• Significant step for fighting DDoS and protecting critical system services.

• Example configuration (intended for a web server):

sysctl: net.netfilter.nf_conntrack_tcp_loose=0 [DEFAULT=1]

# iptables -­t raw -­A PREROUTING -­i eth0 -­p tcp -­-­dport 80 -­-­syn -­j NOTRACK

# iptables -­A INPUT -­i eth0 -­p tcp -­-­dport 80 -­m state UNTRACKED,INVALID \

-­j SYNPROXY -­-­sack-­perm -­-­timestamp -­-­mss 1480 -­-­wscale 7 –ecn

DDoS