I’m following a hardening guide (https://ohyaan.github.io/tips/raspberry_pi_security_hardening_complete_guide/) for initial setup of a Raspberry Pi-based product (Pi 5, Debian Bookworm). I’m running into problems detecting a syn flood. Device operates fine during flood, but I’d like to document that the attack happens, as outlined in the guide:
tail -f /var/log/kern.log | while read line; do
if echo "$line" | grep -q "SYN flood"; then
echo "$(date): Potential SYN flood detected" >> $LOGFILE
(etc)
I’m attacking the Pi using hping3 from one or more virtual machines on the local network
sudo hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.45.152
Wireshark shows the flood, and I’m getting entries in kern.log that imply it’s getting through, but I’m not seeing anything specifically claiming a SYN attack.
Sep 29 15:17:11 xxxyyy kernel: ll header: 00000000: 2c cf 67 6a 0a e8 00 0c 29 e4 ff 39 08 00
Sep 29 15:17:11 xxxyyy kernel: IPv4: martian source 192.168.45.152 from 227.250.109.109, on dev eth0
Sep 29 15:17:11 xxxyyy kernel: ll header: 00000000: 2c cf 67 6a 0a e8 00 0c 29 e4 ff 39 08 00
Sep 29 15:17:16 xxxyyy kernel: net_ratelimit: 1442 callbacks suppressed
Sep 29 15:17:16 xxxyyy kernel: IPv4: martian source 192.168.45.152 from 239.9.68.102, on dev eth0
Sep 29 15:17:16 xxxyyy kernel: ll header: 00000000: 2c cf 67 6a 0a e8 00 0c 29 e4 ff 39 08 00
Setup includes strict iptables rules and setting tcp_syncookies=1 but I’ve cleared the iptables rule and set syncookies to 0. In the event that there were log messages hidden within the ratelimit line, I disabled log_martians, and now the log is silent.
Is there a reason that kern.log wouldn’t include SYN flooding, or may I not be attacking the Pi correctly? Thanks for any insights/
