# Syn Attack Ã¢Â€Â“ 6 Months Ã¢Â€Â“ Thousands Of Request A Second



## phpfreek2007 (Jul 21, 2009)

*Syn Attack â€“ 6 Months â€“ Thousands Of Request A Second*

Hi All,

For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.

e.g. http://www.example.com/rss123/attackedfilename.xml




Following we have done till now is mentioned below for the configurations.

sysctl.conf

```
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# 65536 seems to be the max it will take
net.ipv4.ip_conntrack_max = 1048576
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
```
fwsnort, bfd burnintest chkrootkit ddos faf lsm nobody_check sim apf

modsecurity-apache

```
LoadModule evasive20_module /usr/lib64/httpd/modules/mod_evasive20.so

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>

LoadModule security_module /usr/lib64/httpd/modules/mod_security.so

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>
```

Firewall: APF

Again,
Hope this helps you to see the issue in detail. I have also put the latest configurations to keep site going on.
Besides all these details, please let me know for any suggestion you think will be helpful or details you want.
Thank you for your help in advance! Help!

Regards,

Sam


----------



## DutchDaemon (Jul 21, 2009)

> Kernel sysctl configuration file for *Red Hat Linux*



Why are you asking this on a FeeBSD forum?


----------



## DutchDaemon (Jul 21, 2009)

Seems like you're all over the place with this issue already ...

Anyway, nothing to do with FreeBSD. Thread closed.


----------

