Re: Continuous medium traffic fake Syn packets

From: Mogens Valentin (
Date: 10/23/02

Date: Wed, 23 Oct 2002 12:52:01 +0200
From: Mogens Valentin <>
To: "Reinder P. Gerritsen" <>

"Reinder P. Gerritsen" wrote:
> I've been trying to get around this problem for quite some time. Still
> though I can not figure out what to do:
> The following is happening:
> Some unknown source is sending SYN packets to port 80 on my linux box.
> These SYN packs have their sender address altered.

If it can help here or in other situations, here's my /proc settings.
Among others, tcp_max_syn_backlog might be usefull...


# Disable forwarding while setting up rules (needed for masquerading):
    echo "0" >/proc/sys/net/ipv4/ip_forward
    # echo "1" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (prevent syn-flood attacks):
    echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Reduce number of possible SYN Floods:
    echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
    echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP echo-request altogether (use only if DOS'ed):
    #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

# Enable defrag error protection:
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable time-wait assassination hazards in tcp (RFC 1337):
    echo "1" >/proc/sys/net/ipv4/tcp_rfc1337

# Sourcerouting and spoofing:
    for i in /proc/sys/net/ipv4/conf/*; do
        # Drop all source-routed packets:
        echo "0" >$i/accept_source_route

        # Deaktivate ICMP Redirect accept/send:
        echo "0" >$i/accept_redirects
        echo "0" >$i/send_redirects

        # Activate secure ICMP redirects (send only?) (on by default):
        echo "1" >$i/secure_redirects

        # Enable source-address verification (prevent spoofing):
        echo "1" >$i/rp_filter

# Log spoofed, source routed and redirect packets:
    echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

# Set local port range for listeners (ftp et al...)
# Connections initiated from the firewall: Range 56000 60999
# Masqueraded connections: Range 61000-65096.
# So, we combine these two ranges into one:
    #echo "56000 65096" >/proc/sys/net/ipv4/ip_local_port_range
    echo $LOCALPORTRANGE |sed 's/:/ /'

Note: Using the var LOCALPORTRANGE throughout my script is more
practical than hardcoding the range, which could be subject to change.

Kind regards / venlig hilsen,
Mogens Valentin, Mr Dev

IT Networking, Security, Server Setup Phone +45 32 525 878 Cell 51 227 668