​Linux developers under (SYN) denial of service attack

If you can’t reach your favorite Linux developer by IM or e-mail today, it’s because they’re under a denial of service (DoS) attack.

The top programmers are all at the Linux Plumbers conference, which is being hammered by an Internet attacker.

Syn Flood Attack
Massive DDoS attacks like Dyn get the headlines, but as the top Linux programmers recently found out, ISPs still aren’t protecting against old fashioned Denial of Service attacks like SYN flood.

Cisco

Yes, even the best developers of the world can be put out of the commission when their internet is strangled.

According to James Bottomley, an IBM Research distinguished engineer and a member of the Linux Plumbers Conference committee, “Since yesterday we are being attacked from the outside. The attack follows us as we switch external IP and the team has identified at least one inside node which looks suspicious.”

The conference is not being attacked by some sophisticated Internet of Things distributed denial of service (DDoS) attack like the Dyn attack. No, it’s being mugged by one of the oldest attacks in the DoS book: a SYN flood.

In a SYN flood, the attacker breaks the normal TCP-startup three-way connection hand-shake. If you do this enough times, by “flooding” the router, the router runs out of memory and no one is able to make Internet connections.

The truly annoying thing about this type of attack –which has been around for more than 20 years — is that it’s easy to prevent. There are at least eight, count them eight, ways to mitigate SYN floods.

What’s far more troubling is that the Santa Fe ISP didn’t have any of the SYN flood defenses up. We know that massive Internet-killing DDoS attacks are on their way; and here we find a national ISP in a state capital can’t deal with an old-fashioned Internet assault.

I’ve predicted we’ll see serious Internet breakdown this year. Looking at this local Internet slowdown I’m surprised it hasn’t already. Yes, a lot of blame for Internet attacks goes to IoT manufacturers and insufficiently hardened web servers, but ISPs are guilty of poor security as well.

On most Linux machines, thwarting a SYN attack is really just few lines of the iptables firewall script added to the INPUT Chain

Here they are:

iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP                   !!! stops NULL packet attacks

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP       !!!    && Stops syn-flood attacks

iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP                      !!! Stops X-Mas packets