Portal Home > Knowledgebase > Articles Database > Can a managed hosting handle SYN flooding?


Can a managed hosting handle SYN flooding?




Posted by mark0168, 07-17-2006, 02:59 AM
We often meet SYN flooding or web ripper (download our site with Teleport alike software) problem with our website. They often make our site down for CPU overloading and too many connections. The only way we can do now is to restart the server and block the IPs. Unfortunately, that doesn't work for most blocked IPs are dynamic. After several days, they come back again for that most peole connect to internet by other dynamic IPs. We can't monitor our server for 24 hours a day, 365 days a year. Is there any good managed hosting can help us to resolve the problem? Downtime hurts our bussiness very much. We never know when the web rippers will come. We can't find effect solution on Google right now. Any suggestions? Thanks Last edited by mark0168; 07-17-2006 at 03:13 AM.

Posted by PeakVPN-KH, 07-17-2006, 03:21 AM
I am not sure of any companies that will monitor your server for you unless they host it themselves. My company would provide the service through our 24 hour monitoring team but in a case like this it is hard to know just how someone else's datacenter/firewall rules are setup. I would guess you will find it to be tough getting this kind of service. Have you tried setting up apache evade and apache security modules?

Posted by HostTitan, 07-17-2006, 10:42 AM
What safeguards have you attempted until now? What type of firewall, apache modules, and sql setup do you have? Have you considered creating a php script that can tell if someone is accessing many pages fast and banning? That could be interesting though i'm not sure its the most efficient way to go about it.

Posted by dkitchen, 07-17-2006, 12:28 PM
Some providers with a good infrastrcuture will be able to filter this upstream before it reaches your server, and this is what you need. You may actually be better putting the server behind a reverse proxy or something of that nature. Be upfront with the provider and let them know you have these problems, if they aren't aware before you sign up, they may not be able to help you. What kind of budget do you have for this? Are the downloads suspicious or anything of that nature (i.e. is there a reason they might be doing this?). Dan

Posted by sprintserve, 07-17-2006, 02:32 PM
If you invest in a hardware firewall (managed) syn flooding typically are possible to filter unless it huge and chews up the processor on the firewall as well. If it is the sort that you can simply block and they go away for a few days, chances are it's small enough for most hardware firewalls to handle such as a Cisco Pix. As for Apache level attacks, they are harder to block. But web rippers are easy to block as they come from a single IP. What we have done for some clients is that we have written a custom script that blocks any IPs that exceed a particular set threshold of connections. You may also want to hire managed services that do proactive / reactive monitoring. i.e. they will log in to check if the loads get too high etc , or if the services go down.

Posted by steven-v, 07-17-2006, 03:26 PM
I would suggest you to try professional server optimization - in some cases pro's can help you optimize your server in such a way, that you forget about this kind of headaches.

Posted by mark0168, 07-17-2006, 05:52 PM
In fact, we host our server on a very good reputation managed hosting. We can only afford their basic managed service, but bought a optional hardware firewall Cisco PIX and a extra ports watch service. We have met three times down for SYN flooding or web rippers over the 3 days. Our hosting supports said that they can do nothing about that for they can not moniter the speed of MySQL or Apache. What they can do is when some ports of our server down, they will check for me and resolve it if they can. The question is that showing a blank page or showing error pages have the same meaning of downtime to our visitors or consumers. They don't care wether your server is still online. What they see is that our webstite blank or error. About firewall, our hosting said that Cisco PIX can do nothing to SYN Flooding. They suggested us to install mod_evasive yesterday. However, I have searched WHT for mod_evasive. I start to worry about the disaster mod_evasive will give us. Some said that mode_evasive will block normal visitors as well especially when a site generates numerous image as .php filename by GD alike modules. Or it will easy to block consumers who are using IE as their browsers. Anyway, while I am repling this thread. Our site is down for SYN flooding again. I have to admire ourself for that we can attract so many rippers come. : ( Orz I have no choice but ask my hosting to install mod_evasive now. Is there a much better idea to stop the rippers? Any way I don't need to moniter our server all day long? Last edited by mark0168; 07-17-2006 at 05:56 PM.

Posted by reiteration, 07-17-2006, 05:59 PM
Managed hosting should make sure your protected from SYN flooding. If they don't its time to move.

Posted by mark0168, 07-17-2006, 06:06 PM
Thanks. However, we don't know which managed hosting can resolve the problem for us? Anyone can recommend a managed hosting can handle that? I really appreciate that if you can shared with me by PM or reply here. By the way, I just wonder if mod_evasive will stop normal visitors. Will Yahoo or Goolge spider be blocked? If so, that's another disaster to us for that we have some good ranking on keyword pages. Anyway, I hate rippers....Orz

Posted by reiteration, 07-17-2006, 06:10 PM
That depends on your budget and the location you want. SYN flooding is quite easy to protect against, DOS too, DDOS is the worst. Sure you can buy firewalls that claim to protect again DDOS but in reality when your being attacked by thousands of servers nothing will help you. What OS are you running ?

Posted by mark0168, 07-17-2006, 07:13 PM
We have not ever faced DDos, only small SYN flooding.. So our server is not down but all our website are. To our consumers, nothing different between Server or Website down. We are using Redhat RL4 with Cisco PIX. If Hardware firewall (CISCO PIX) can stop even small DDos, why our managed hosting said that they can do nothing about SYN flooding. I don't know whether the budget more than 500USD a month budget can help us to stop SYN flooding. We pay for our hosting more than 500USD monthly now. My partner agree with you that perhaps our budget is too little so that our manged hosting don't want to pay much attention to us.

Posted by reiteration, 07-17-2006, 07:59 PM
You could be right that they consider you too small to help, or want you to spend more. Check if SYN cookies are enabled: cat /proc/sys/net/ipv4/tcp_syncookies Should give 1 if its enabled.

Posted by mark0168, 07-17-2006, 09:47 PM
No, I have check the tcp_syncookies of my server. It is "0". Does that mean our current hosting is not professional enough to be a managed hosting? Should it be enabled? I googled it for a while but still not really understand it as Hardware Firewall function. Some people said that enable tcp_syncookies may delay the speed and may not take effect obviously . Some articles said that we should try to adjust "time_wait2" alike stuff, but it seems to for FreeBSD, not Redhat. One of the biggest question I have now is about Hardware Firewall, especially Cisco PIX. Since they can't stop SYN flooding, why some online shops said that it can against Dos on their webpages?

Posted by reiteration, 07-18-2006, 03:32 AM
If your having SYN attacks I would enable this : echo 1 > /proc/sys/net/ipv4/tcp_syncookies And see how things go. you can always put it back with: echo 0 > /proc/sys/net/ipv4/tcp_syncookies Alot of sysctl variables can be tuned in Linux to help erradicate your problems, the question is if your managed service provider feels your worth spending the time on.

Posted by warp2cris, 08-01-2006, 10:26 AM
yes, your company should have this tcp_syncookies in place at least. if the things get worst, try to see a specialized company for DOS/DDOS protection.

Posted by TCP/IP Warrior, 08-01-2006, 10:58 AM
Gigeservers.com or Staminus.net can help you. If you are not looking to move, you could use Gigeservers ProxyShield service. The type of problem that you are describing should be no challenge for these providers. Same goes for blacklotus.net. Good luck!

Posted by HostTitan, 08-02-2006, 04:25 PM
gigeservers has a solid reputation but the problem you have should be resolved without that much expense or effort. With a few tweaks, proactive monitoring, and a decent infrastructure, a manged provider will keep things smooth.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
PHP Counters? Anyone? (Views: 653)
Who I picked and Why (Views: 686)


Language: