Re: FreeBSD firewall block syn flood attack

• Previous message: Avleen Vig: "Re: FreeBSD firewall block syn flood attack"
• In reply to: Ryan James: "FreeBSD firewall block syn flood attack"
• Next in thread: jeremie le-hen: "Re: FreeBSD firewall block syn flood attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Ryan James <ryan@mac2.net>
Date: 20 May 2003 10:12:18 +0200

On Tue, 2003-05-20 at 08:52, Ryan James wrote:

> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.

> I am trying to find a way to do some kind of syn flood protection inside the
> firewall.

On a few of my systems I have built dummynet pipes to limit the
destroying effect of SYN-floods. By limiting incoming SYNs to a few
packets per seconds (the systems don't have many legit incoming
connection requests per second) I can be sure my boxes will survive the
attack. A way to do this is create seperate pipes for every service, so
even though the pipe for port 80 is full, the pipe for 25 might still
have some room..

Of course, since you're limiting a lot, the DoS is easier: legitimate
connections won't succeed either. But..

First, a system going down (crash/swamp/explode) is worse than a system
which only doesn't accept connections. Immediately after the DoS-attack
stops the servers will be available again.
Secondly: most scriptkiddies are pretty stupid. I've seen quite a few
SYN-floods to ports where nothing was listening on, and thus were
firewalled off. Such attacks are quite pointless, except for the
bandwidth-use. This might be the case in your situation (you didn't tell
;). If so: just create a firewall rule blocking all incoming packets for
those ports and the dummynet queue won't fill up with bogus traffic.

Of course a little tcpdumping might help too. I've had a 1K big packets
ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could
easily figure out which traffic I wanted to block. Filtering such an
attack is easy and doable performance-wise.

Hope this helps a bit and good luck!
Pieter

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Avleen Vig: "Re: FreeBSD firewall block syn flood attack"
• In reply to: Ryan James: "FreeBSD firewall block syn flood attack"
• Next in thread: jeremie le-hen: "Re: FreeBSD firewall block syn flood attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: It all comes full-circle ... WMDs found in Iraq ... The fact that Pipes just pulled the numbers out of his ... >>to stoop so low to try to support your side in this discussion, ... >>If we had been able to prove that Iraq was a real danger (difficult ... > 'what will the US do if we attack them? ... (talk.origins) Re: It all comes full-circle ... WMDs found in Iraq ... Giving WMDs to Islamists, who oppose his secular ... attack him if he didn't. ... >"Educated" guesses can usually be backed up by some reasoning. ... >Neither Pipes nor you have given any reasoning. ... (talk.origins) Re: Port 80 SYN flood-like behavior ... > were on the receiving end of such an attack a little over one month ago. ... > across a LARGE number of TCP servers. ... > SYN/ACK packets ... ... Traffic reflection off routers ... (Incidents) [REVS] DNS Amplification Attacks ... DNS Amplification Attacks ... One of the networks under attack indicated some ... exploited name servers. ... (Securiteam) Analysis of SSH crc32 compensation attack detector exploit ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ... (Incidents)