1 Nov
2019
1 Nov
'19
8:09 a.m.
On 2019-11-01 01:01+0000, Andy Smith wrote:
So I'm seeing a lot of TCP packets with the SYN
flag set ("[S]")
coming from hosts all over 185.90.116.0/22, but they never actually
establish a connection and exchange data. I think that's a SYN
flood.
If you are seeing flapping alerts for your TCP-based services, can
you have a look to see if same is happening to you?
If using tcpdump you'd want something like:
# tcpdump -vpni eth0 'tcp and dst port 53'
(For looking at TCP traffic to your DNS server)
One of the counter measures (and thing I didn't suggest during an
interview for an SRE at a large search company) is to enable SYN
cookies, look at drawbacks though. This turns the three-way handshake
into four way, and doesn't steal space from the state table until the
third state of the now four-way handshake.
https://en.wikipedia.org/wiki/SYN_cookies
--
Best regards,
Ed http://www.s5h.net/