DDoS and SYN flood attacks are a nightmare for any system admin. You can easily find yourself in a situation where all your servers are down for hours, and nothing seems to help.
This guide gives you a solid defense strategy so you’re not sitting helplessly while your infrastructure is under fire.
Basic Protection with cPFence
If the attack is small or basic, cPFence automatically has your back. Any bot acting crazy with over 100 connections will be temporarily blocked. If it repeats within a short time frame, the block becomes permanent and our global IPDB updates for all clients.
If the attack gets aggressive with lots of hit-and-run attempts, we recommend enabling under attack mode using:
cpfence --under-attack-on
This applies stricter protection policies to help your server stay online.
Stronger Defense for Larger Attacks
First, analyze the IPs. If they're all coming from one country or one ASN, it’s your lucky day. You can use cPFence’s built-in tools to block the entire country or ASN easily.
To block by country:
cpfence --blacklist-country ISOCODE
Example:
cpfence --blacklist-country cn
For ASN blocking, cPFence offers a unique feature not found in other security software:
cpfence --blacklist-asn
But what if the attacks are coming from many countries or from places you can’t block, like the US or even your own country? In that case, keep following for more solutions below to help you get back online fast.
Rule Number One: Don’t Panic!
Seeing your entire infrastructure go down is stressful — no doubt about it. But the most important thing you can do right now is stay calm. Panicking often leads to rushed decisions that cause more damage than the attack itself. Take a deep breath, follow the steps carefully, and you’ll have a much better chance of getting everything back online without making things worse.
SYN Flood Attack Rate Limiting Strategies
If things start to get out of control, follow these steps to deploy a more robust solution. It rate-limits incoming SYN packets and dynamically blacklists abusive IPs.
1. Back up your current iptables rules
iptables-save > /root/iptables.backup.$(date +%F-%H%M)
To restore later:
iptables-restore < /root/iptables.backup.YYYY-MM-DD-HHMM
2. Load or reload required kernel modules
modprobe -r xt_recent 2>/dev/null
modprobe xt_recent ip_list_tot=20000 ip_pkt_list_tot=40
modprobe xt_hashlimit
3. Create a custom chain (only if it doesn’t exist)
iptables -N DDOS 2>/dev/null || true
4. Add the DDOS protection rules
# Drop traffic from already blacklisted IPs
iptables -C DDOS -m recent --name blacklist --rcheck --seconds 300 \
--hitcount 1 --rsource -j DROP 2>/dev/null || \
iptables -A DDOS -m recent --name blacklist --rcheck --seconds 300 \
--hitcount 1 --rsource -j DROP
# Rate-limit SYNs and blacklist offenders
iptables -C DDOS -p tcp --syn --dport 443 \
-m hashlimit --hashlimit-name https_limit \
--hashlimit-above 4/second --hashlimit-burst 12 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-m recent --name blacklist --set --rsource -j DROP 2>/dev/null || \
iptables -A DDOS -p tcp --syn --dport 443 \
-m hashlimit --hashlimit-name https_limit \
--hashlimit-above 4/second --hashlimit-burst 12 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-m recent --name blacklist --set --rsource -j DROP
# Return other traffic to normal INPUT flow
iptables -C DDOS -j RETURN 2>/dev/null || iptables -A DDOS -j RETURN
Note: The -C … || -A … pattern checks if a rule exists before appending it, preventing duplicates.
5. Insert the DDOS chain at the top of INPUT
iptables -C INPUT -j DDOS 2>/dev/null || iptables -I INPUT 1 -j DDOS
This ensures DDOS rules get processed first.
6. Monitor the effect
iptables -v -L DDOS --line-numbers
watch -n5 'wc -l /proc/net/xt_recent/blacklist'
You should see the blacklist grow and SYN-RECV backlog decrease:
ss -H state syn-recv sport = :443 | wc -l
If SYN-RECV stays in the thousands after a few minutes, the attack is too large for one server to handle alone.
7. Make it survive reboot
If you're using iptables-persistent:
iptables-save > /etc/iptables/rules.v4
Final Advice
You’ve now added solid protection to your firewall without touching existing rules. This setup helps mitigate small to semi medium DDoS / Syn-Flood attacks.
For larger-scale attacks, If you're using Hetzner or another cloud provider with firewall support, you can survive most large-volume attacks by applying strict firewall rules that only allow traffic from trusted IPs.
Here’s how to do it:
Visit Cloudflare’s official IP ranges:
Add all Cloudflare IPs (both v4 and v6) into your firewall rule for TCP port 443.
Add your own server IPs too (all your cluster ips). To automatically fetch your current server IPs (v4 and v6) from your Enhance cluster, run:
bash <(curl -ks https://api.cpfence.app/whitelist_your_ips.sh)
In Hetzner Cloud, create firewall rules like this:
For TCP Port 443:
Repeat the same for TCP Port 80
If your server also serves DNS, allow only trusted IPs on UDP and TCP Port 53
Keep SSH (Port 22) restricted to your own IP or trusted admin IPs
This method assumes the DDoS attack is targeting HTTPS (port 443), which is the most common scenario. With these rules in place, only Cloudflare and your internal servers can reach your machine, blocking all direct access from attackers. Your Cloudflare-protected sites will stay online, and in most cases, attackers will automatically detect the block and eventually stop the attack when their traffic gets consistently dropped.
This setup helps you get your server back under control and online fast, minimizing downtime and damage. Bookmark this guide — you might not need it today, but when an attack hits, it could save your server and your sanity. Everything shared here comes from real-world attacks we faced and the exact solutions we used to defend our own infrastructure.
Good luck out there.
