Home / server / Questions / 475029
Accepted
Willem
Asked: 2013-02-04 13:45:16 +0800 CST

Spoofed DDoS protection strategy, filter window size == 0?

  • 772

I was hit by a SYN flood that nearly killed the network stack of my ipvs loadbalancer (80K packets/sec). The "ksoftirqd" process took 100% CPU, the machine was nearly unresponsive from the network. A tcpdump revealed packets such as these:

21:24:40.994920 IP 193.41.136.187.17435 > MY-IP.80: Flags [S], seq 3387555840, win 0, length 0
21:24:40.994940 IP 46.159.109.102.63863 > MY-IP.80: Flags [S], seq 4209573888, win 0, length 0
21:24:40.994961 IP 32.199.104.48.30346 > MY-IP.80: Flags [S], seq 512360448, win 0, length 0

I couldn't find common denominators in the flood, apart from the zero window size, which is possibly a hook for filtering.

  1. Is the ksoftirqd indeed the bottleneck?
  2. Is there a way to filter on the linux box BEFORE it reaches the ksoftirqd bottelenck?
  3. If not, how do I filter on window size == 0 on my Cisco 6509 ?

Thanks!

linux

1 Answers

  1. Best Answer

    Ok, so the bottleneck turned out to be the iptables rules / nat / connection tracking. 

    -A INPUT -p tcp -m tcp --tcp-flags SYN -m u32 --u32 0x6&0xff=0x6&&0x4&0x1fff=0x0&&0x0>>0x16&0x3c@0xc&0xffff=0x0 -j DROP

    With this as first rule, the load on the machine dropped significantly.

    • 0