DDoS Basic Defense: Responding to SYN Flood and HTTP Flood
DDoS (Distributed Denial of Service) attacks paralyze servers with massive traffic volumes. Web server-level basic defense settings and OS-level tuning can defend against small-to-medium scale attacks.
DDoS Attack Type Defense Strategiesβ
| Attack Type | Layer | Defense Method |
|---|---|---|
| SYN Flood | L4 (TCP) | OS SYN Cookie, firewall |
| UDP Flood | L4 (UDP) | Firewall, rate limiting |
| HTTP Flood | L7 (HTTP) | Rate Limiting, WAF |
| Slowloris | L7 (HTTP) | Timeout settings, connection limits |
| DNS Amplification | L3/L4 | Upstream filtering |
OS-Level SYN Flood Defenseβ
# Add to /etc/sysctl.conf
# Enable SYN Cookie (core SYN Flood defense)
# Issues cookies for half-open connections to prevent memory exhaustion
net.ipv4.tcp_syncookies = 1
# Reduce SYN-ACK retransmit attempts (default 5 β 3)
net.ipv4.tcp_synack_retries = 3
# Increase SYN backlog queue size
net.ipv4.tcp_max_syn_backlog = 4096
# Reuse TIME_WAIT sockets
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
# Limit ICMP request rate (ICMP Flood defense)
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 88089
# Increase connection tracking table size
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 600
sudo sysctl -p # Apply immediately
SYN Flood Defense with iptablesβ
# Rate limit SYN packets (block if more than 500/s)
iptables -A INPUT -p tcp --syn -m limit --limit 500/s --limit-burst 1000 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Block invalid packets (INVALID state)
iptables -A INPUT -m state --state INVALID -j DROP
# Block null packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Port scan defense (accessing many ports in a short time)
iptables -N portscan
iptables -A portscan -m recent --name portscan --set -j LOG --log-prefix "Portscan: "
iptables -A portscan -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j portscan
# Save settings
sudo iptables-save > /etc/iptables/rules.v4
Nginx Slowloris Attack Defenseβ
Slowloris keeps connections open and sends headers very slowly to exhaust the server's connection pool.
http {
# Client timeout settings (core Slowloris defense)
# Maximum time to receive the full header (default: 60s β shortened to 10s)
client_header_timeout 10s;
# Maximum time to receive the request body
client_body_timeout 10s;
# Wait time for response transmission to complete
send_timeout 10s;
# Keepalive hold time (keep short)
keepalive_timeout 65s;
# Concurrent connection limit (per IP)
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
# Maximum 20 concurrent connections per IP
limit_conn conn_limit 20;
# Limit request header size (defend against large header attacks)
large_client_header_buffers 4 16k;
client_header_buffer_size 1k;
# Maximum request body size (10MB)
client_max_body_size 10m;
}
}
Nginx HTTP Flood Defenseβ
http {
# Request rate limit per IP
limit_req_zone $binary_remote_addr zone=http_flood:10m rate=20r/s;
# Block bot User-Agents
map $http_user_agent $bad_bot {
default 0;
~*malicious_bot 1;
~*scrapy 1;
~*python-requests 1;
"" 1; # Block requests with no User-Agent
}
server {
# HTTP Flood defense
location / {
limit_req zone=http_flood burst=40 nodelay;
# Block bots
if ($bad_bot) {
return 403;
}
proxy_pass http://backend;
}
# Login page β stricter limits
location /login {
limit_req zone=http_flood burst=5 nodelay;
proxy_pass http://backend;
}
}
}
Attack Detection and Automatic Blocking (fail2ban)β
sudo apt install fail2ban
# /etc/fail2ban/jail.local
[DEFAULT]
# Block duration (10 minutes)
bantime = 10m
# Detection window
findtime = 10m
# Allowed failure count
maxretry = 5
# Block Nginx HTTP authentication failures
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
# Block excessive Nginx requests (429 responses)
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
logpath = /var/log/nginx/error.log
maxretry = 10
bantime = 1h
# SSH brute force defense
[sshd]
enabled = true
maxretry = 5
bantime = 1h
# Write nginx-req-limit filter
cat > /etc/fail2ban/filter.d/nginx-req-limit.conf << 'EOF'
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
ignoreregex =
EOF
# Restart fail2ban and check status
sudo systemctl restart fail2ban
sudo fail2ban-client status nginx-req-limit
Attack Response Procedureβ
# 1. Identify attacking IPs
grep " 4[0-9][0-9] \| 5[0-9][0-9] " /var/log/nginx/access.log | \
awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# 2. Check network connection status
ss -tn state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
# 3. Immediately block attacking IP
sudo iptables -I INPUT -s <attack_IP> -j DROP
# Or Nginx deny
echo "deny <attack_IP>;" | sudo tee -a /etc/nginx/blocklist.conf
sudo nginx -s reload
# 4. Include blocklist in Nginx
# /etc/nginx/nginx.conf
include /etc/nginx/blocklist.conf;
# 5. Report to upstream ISP/CDN
# If using Cloudflare, AWS Shield, etc. β block from dashboard
CDN/Cloud DDoS Defense Integrationβ
Small-scale attacks (< 1 Gbps):
Nginx rate limiting + fail2ban + iptables
Medium-scale attacks (1~10 Gbps):
Cloudflare Free/Pro β automatic DDoS mitigation
Large-scale attacks (> 10 Gbps):
Cloudflare Enterprise / AWS Shield Advanced
(Cannot be defended at the web server level)