Plagued by junk TCP SYNs

All other technical assistance queries (General technical issues, IPv6. P2P, News groups, etc)
Post Reply
phelum
Posts: 74
Joined: Mon Mar 27, 2006 9:37 am
Location: Sydney 2074
Contact:

Plagued by junk TCP SYNs

Post by phelum » Wed Oct 30, 2019 3:44 pm

Hi,

I'm running stretch on a Pi 3B+ with a ZTE H268A router. I'm getting heap of TCP SYNs from maybe 20 IPv4 addresses. My SYN,ACK response is apparently ignored and the Pi does try retransmission which is making things worse.

This Pi is running a web server so I do need port forwarding on the router. I've tried blocking some of the IP addresses both in the router and also using iptables in the Pi. But neither of these seem to have any effect on the SYN packets.

Does anybody know if I should be able to get the router to drop TCP SYNs from specified addresses ? I do have anti-hack enabled. I'm wondering if the filtering only applies to data packets. Or can I setup debian networking to disable retransmission of the SYN,ACK packets ? Or how to get iptables to ignore SYNs from these addresses ?

Thanks,
Steven
-- Steven Saunderson

KavindaS
Exetel Staff
Posts: 2569
Joined: Wed Dec 23, 2009 3:59 pm
Location: Sydney

Re: Plagued by junk TCP SYNs

Post by KavindaS » Wed Oct 30, 2019 4:38 pm

phelum wrote:
Wed Oct 30, 2019 3:44 pm
Hi,

I'm running stretch on a Pi 3B+ with a ZTE H268A router. I'm getting heap of TCP SYNs from maybe 20 IPv4 addresses. My SYN,ACK response is apparently ignored and the Pi does try retransmission which is making things worse.

This Pi is running a web server so I do need port forwarding on the router. I've tried blocking some of the IP addresses both in the router and also using iptables in the Pi. But neither of these seem to have any effect on the SYN packets.

Does anybody know if I should be able to get the router to drop TCP SYNs from specified addresses ? I do have anti-hack enabled. I'm wondering if the filtering only applies to data packets. Or can I setup debian networking to disable retransmission of the SYN,ACK packets ? Or how to get iptables to ignore SYNs from these addresses ?

Thanks,
Steven
Hi Steven,

Usually, this should be controlled by the router / firewall. However, i will further checked with the ZTE support and provide you a feedback accordingly.

phelum
Posts: 74
Joined: Mon Mar 27, 2006 9:37 am
Location: Sydney 2074
Contact:

Re: Plagued by junk TCP SYNs

Post by phelum » Thu Oct 31, 2019 3:35 pm

Hi,
Updating my own post here.

I've managed to get the ZTE router filtering (discarding) packets from specified address ranges. I'm not sure why this didn't work yesterday.

I see that filtering of TCP SYNs using iptables does work. I'm seeing SYNs come in on port 445 and they're all being dropped as they should.

What I found that helped is changing /proc/sys/net/ipv4/tcp_synack_retries to 0 (default is 5). This considerably reduces the noise I create in response to these unwanted SYNs. Doesn't seem to affect normal traffic. This seems a good approach to reduce the impact of SYN attacks from random hosts.

Cheers,
Steven
-- Steven Saunderson

Post Reply