iptables rule to drop SYN and FIN attacks
Solution 1
This rule will match if the syn flag is set
iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
And this one will match for the FIN flag
iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP
note that you will need to tweak this as the syn rule will prevent incoming tcp connections at all for your device, perhaps set the specific port you want blocked?
Solution 2
I use something to prevent this SYN attacks. Not sure if it is correct one for your case but you may take a look. I count requests per second and block IPs with more than X (in my case 20) requests in 1 second. Works for me.
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
Solution 3
Go check my Community Wiki: iptables Tips & Tricks
Especially the following "answer": Answer #245713
Please note that for the blockage to be effective, it must be placed in -t raw -A PREROUTING
Related videos on Youtube
shadow_of__soul
i'm a developer and technology enthusiast living in argentina :D
Updated on September 18, 2022Comments
-
shadow_of__soul over 1 year
From a Trustwave report, we are trying to set our server to block this type of request but after trying several combinations of rules, we can still see the ports.
Could anyone give me a hint or the set of necessary rules to block this request?
I'm using
nmap --scanflags SYN,FIN xxx.xxx.xxx.xxx
to test if iptables is blocking or not.-
Eduardo Ivanec about 13 yearsThis should be on by default, but just in case check you have syn cookies enabled with
sysctl net.ipv4.tcp_syncookies
.
-
-
coredump about 13 yearsCheck some rules on this post too.