Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syncookied on linux router #21

Open
JOSEFGRILL opened this issue Sep 8, 2016 · 4 comments
Open

Syncookied on linux router #21

JOSEFGRILL opened this issue Sep 8, 2016 · 4 comments
Labels
question

Comments

@JOSEFGRILL
Copy link

Hello,
is possible use Syncookied (directly) on linux router?
@polachok
Copy link
Contributor

polachok commented Sep 9, 2016

Hi,
can you be more specific at what exactly do you want to achieve?

@JOSEFGRILL
Copy link
Author

Hi, Thank you for your response.

I mean cleaning process without additional server and without traffic diversion. Cleaning process directly on linux router.

We have linux router with Debian 8 (before webservers). We need protect these webservers continuously. Is possible use Syncookied on this router for each incoming packet?

If attack is strong we are using a traffic diversion in routing and this traffic (attack) is transfered to special router with synproxy. Synproxy make mittigation and clean traffic is transfered to our network.

Our servers are under small TCP+SYN (SYN+ACK etc.) attacks anytime and we need clean these small attacks anytime.

@polachok
Copy link
Contributor

polachok commented Sep 9, 2016

syncookied requires a dedicated network card which will be disconnected from linux network stack.
If you have a supported card installed in your router which is not used, you can use it for syncookied and configure your router to transfer traffic to this port for filtering.

Bear in mind that syncookied is designed for large attacks (i.e. it will waste CPU resources when idle) and you may be better suited by linux synproxy functionality in case your attack is small.

@JOSEFGRILL
Copy link
Author

We have one empty 10 Gbps card now and we can add a dedicated network card. This isn't problem. How we can use this hardware? How setup this correctly? We need use this dedicated card for Syncokieed and clear traffic we need send back to router (to normal way and process these packets in iptables for example). Can you explain this, please?

We have router with strong CPU and full of RAM. We are using "-j CT --notrack" for all packets in iptables normally and router is working fine. CPU has load 0.1 and "si" is around 0.5 for example. We can use this CPU for Syncookied. Router is slow if we used synproxy because we can't use "-j CT --notrack" for all packets.

For example we have 300 IPv4 with webservers and each is receiving around 150-500 TCP+SYN (or similar) pps. This isn't big number but this is 45-150.000 per second not valid TCP+SYN packets (going thru router). Stronger attacks (to single IP) are transfered to synproxy filter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@polachok @JOSEFGRILL