My server is under a SYN attack, what can I do? Print

If you believe you are under a SYN attack, run the following command:

    * netstat -an |grep :80 |more

You will see a list like the following, however there will be serveral hundred entries:

tcp        0      0 12.34.56.78:80        211.48.6.244:1048       SYN_RECV    
tcp        0      0 12.34.56.78:80        128.223.93.135:1167     SYN_RECV    
tcp        0      0 12.34.56.78:80        194.15.197.170:1192     SYN_RECV    
tcp        0      0 12.34.56.78:80        199.155.53.109:1039     SYN_RECV    
tcp        0      0 12.34.56.78:80        4.168.188.28:1048       SYN_RECV    

Assuming your kernel was built with syncookie support, execute the following command as root:

    * echo 1 > /proc/sys/net/ipv4/tcp_syncookies

If it's not enabled, there isn't much you can do other than build a new kernel and reboot and use it or wait out the attack. Some datacenters can help with this as well.