Skip to main content

DDoS Basic Defense: Responding to SYN Flood and HTTP Flood

DDoS (Distributed Denial of Service) attacks paralyze servers with massive traffic volumes. Web server-level basic defense settings and OS-level tuning can defend against small-to-medium scale attacks.

DDoS Attack Type Defense Strategies

DDoS Protection Flow

Attack TypeLayerDefense Method
SYN FloodL4 (TCP)OS SYN Cookie, firewall
UDP FloodL4 (UDP)Firewall, rate limiting
HTTP FloodL7 (HTTP)Rate Limiting, WAF
SlowlorisL7 (HTTP)Timeout settings, connection limits
DNS AmplificationL3/L4Upstream filtering

OS-Level SYN Flood Defense

# Add to /etc/sysctl.conf

# Enable SYN Cookie (core SYN Flood defense)
# Issues cookies for half-open connections to prevent memory exhaustion
net.ipv4.tcp_syncookies = 1

# Reduce SYN-ACK retransmit attempts (default 5 → 3)
net.ipv4.tcp_synack_retries = 3

# Increase SYN backlog queue size
net.ipv4.tcp_max_syn_backlog = 4096

# Reuse TIME_WAIT sockets
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15

# Limit ICMP request rate (ICMP Flood defense)
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 88089

# Increase connection tracking table size
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 600

sudo sysctl -p   # Apply immediately

SYN Flood Defense with iptables

# Rate limit SYN packets (block if more than 500/s)
iptables -A INPUT -p tcp --syn -m limit --limit 500/s --limit-burst 1000 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

# Block invalid packets (INVALID state)
iptables -A INPUT -m state --state INVALID -j DROP

# Block null packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Port scan defense (accessing many ports in a short time)
iptables -N portscan
iptables -A portscan -m recent --name portscan --set -j LOG --log-prefix "Portscan: "
iptables -A portscan -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j portscan

# Save settings
sudo iptables-save > /etc/iptables/rules.v4

Nginx Slowloris Attack Defense

Slowloris keeps connections open and sends headers very slowly to exhaust the server's connection pool.

http {
    # Client timeout settings (core Slowloris defense)

    # Maximum time to receive the full header (default: 60s → shortened to 10s)
    client_header_timeout 10s;

    # Maximum time to receive the request body
    client_body_timeout 10s;

    # Wait time for response transmission to complete
    send_timeout 10s;

    # Keepalive hold time (keep short)
    keepalive_timeout 65s;

    # Concurrent connection limit (per IP)
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

    server {
        # Maximum 20 concurrent connections per IP
        limit_conn conn_limit 20;

        # Limit request header size (defend against large header attacks)
        large_client_header_buffers 4 16k;
        client_header_buffer_size 1k;

        # Maximum request body size (10MB)
        client_max_body_size 10m;
    }
}

Nginx HTTP Flood Defense

http {
    # Request rate limit per IP
    limit_req_zone $binary_remote_addr zone=http_flood:10m rate=20r/s;

    # Block bot User-Agents
    map $http_user_agent $bad_bot {
        default                     0;
        ~*malicious_bot             1;
        ~*scrapy                    1;
        ~*python-requests           1;
        ""                          1;   # Block requests with no User-Agent
    }

    server {
        # HTTP Flood defense
        location / {
            limit_req zone=http_flood burst=40 nodelay;

            # Block bots
            if ($bad_bot) {
                return 403;
            }

            proxy_pass http://backend;
        }

        # Login page — stricter limits
        location /login {
            limit_req zone=http_flood burst=5 nodelay;
            proxy_pass http://backend;
        }
    }
}

Attack Detection and Automatic Blocking (fail2ban)

sudo apt install fail2ban
# /etc/fail2ban/jail.local

[DEFAULT]
# Block duration (10 minutes)
bantime  = 10m
# Detection window
findtime = 10m
# Allowed failure count
maxretry = 5

# Block Nginx HTTP authentication failures
[nginx-http-auth]
enabled  = true
port     = http,https
filter   = nginx-http-auth
logpath  = /var/log/nginx/error.log
maxretry = 5

# Block excessive Nginx requests (429 responses)
[nginx-req-limit]
enabled  = true
filter   = nginx-req-limit
logpath  = /var/log/nginx/error.log
maxretry = 10
bantime  = 1h

# SSH brute force defense
[sshd]
enabled  = true
maxretry = 5
bantime  = 1h
# Write nginx-req-limit filter
cat > /etc/fail2ban/filter.d/nginx-req-limit.conf << 'EOF'
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
ignoreregex =
EOF

# Restart fail2ban and check status
sudo systemctl restart fail2ban
sudo fail2ban-client status nginx-req-limit

Attack Response Procedure

# 1. Identify attacking IPs
grep " 4[0-9][0-9] \| 5[0-9][0-9] " /var/log/nginx/access.log | \
    awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# 2. Check network connection status
ss -tn state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# 3. Immediately block attacking IP
sudo iptables -I INPUT -s <attack_IP> -j DROP
# Or Nginx deny
echo "deny <attack_IP>;" | sudo tee -a /etc/nginx/blocklist.conf
sudo nginx -s reload

# 4. Include blocklist in Nginx
# /etc/nginx/nginx.conf
include /etc/nginx/blocklist.conf;

# 5. Report to upstream ISP/CDN
# If using Cloudflare, AWS Shield, etc. — block from dashboard

CDN/Cloud DDoS Defense Integration

Small-scale attacks (< 1 Gbps):
  Nginx rate limiting + fail2ban + iptables

Medium-scale attacks (1~10 Gbps):
  Cloudflare Free/Pro → automatic DDoS mitigation

Large-scale attacks (> 10 Gbps):
  Cloudflare Enterprise / AWS Shield Advanced
  (Cannot be defended at the web server level)