SYN_RECV flood

Today my monitoring tool reported weird traffic on the webserver.
Short investigation showed that we are under SYN_RECV flood, what looked like this:

tcp        0      0 188.165.xxx.xxx:80        107.83.110.62:1234      SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        109.143.164.196:1234    SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        109.222.2.66:1234       SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        1.118.132.82:1234       SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        114.19.38.196:1234      SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        115.71.32.78:1234       SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        117.157.27.87:1234      SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        118.0.125.227:1234      SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        1.183.162.94:1234       SYN_RECV    -               

tcp        0      0 188.165.xxx.xxx:80        119.19.140.214:1234     SYN_RECV    -               

......... and many, many more ;]

Having syncookies turned on, I couldn't do much more about this than limiting connections with SYN_RECV to 1 per second per IP address.

Attacker tried like 5-10 times more to bring down our server but without success. The whole bandwidth of attack varied between 90-200 mbps.

To protect the website in future, I implemented Varnish Cache mechanism with Apache for dynamic content and nginx for static.

It works really well, page serving time dropped from 4s to 2.5s (including downloading all images, styles and javascripts).