RSS RSS DDoS Synflood Protection
About   |   Download   |   How to use   |   Blog   |   Feedback

About Synflood-Defender

What is Synflood-Defender

Synflood-Defender is an extension for SNMP protocol, which is used for monitoring SYN-queue and protection the host if SYN-flood attack happens.


  • monitoring SYN-queue
  • changing TCP kernel parameters “on-the-fly” when threshold is reached
  • 2 protection modes: dynamic and force
  • the ability to specify kernel parameters you want to change
  • templates for Cacti are available for download
  • the ability to integrate with any monitoring system which supports SNMP

How it works

Each time SNMP requests Synflood-Defender SNMP MIB, the script checks current length of SYN queue. If the current value exceeds threshold and protection is enabled by configuration, TCP kernel parameters will be set to strict values, which helps to withstand SYN-flood.

Setting TCP parameters to protective values at the boot time is not good idea, because clients with bad connection may be dropped. It's quite important nowadays, when many clients access the web via mobile devices.

When SYN-queue reaches threshold, administrator may be notified via e-mail if notifications are enabled.

If Synflood-Defender is set to force protection mode, kernel parameters will be set to strict values even when SYN-queue is less than threshold.

Result of protection

Result of Synflood Protection

Planned features

  • mail notification when threshold is reached
  • switching to protective mode not when reaching threshold, but when frequency of SYN-requests grows
  • calculating possible net.core.somaxconn value depending on available RAM
  • adding more kernel parameters to change

If you wish any other features to be implemented, please let me know.
If you have any suggestions according improving/developing, please let me know.



© Volodymyr Kononenko 2011