Re: FreeBSD firewall block syn flood attack

From: Mike Hoskins (mike_at_adept.org)
Date: 05/22/03

  • Next message: Brett Glass: "Re: FreeBSD firewall block syn flood attack" 
    Date: Wed, 21 May 2003 15:08:24 -0700 (PDT)
To: freebsd-security@freebsd.org

    > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
    > > the internet. The servers are being attacked with syn floods and go down
    > > multiple times a day.

    >From disparate sources? Start with a sniffer and attempt to understand
    the nature of your attacker. Is he clever? If not, you may not have to
    be that clever to defeat him.

    > > The 7 servers belong to a client, who runs redhat.

    Suggest grabbing the latest errata via up2date/rhn and ensuring syscookies
    are enabled per others' suggestions.

    On Tue, 20 May 2003, jeremie le-hen wrote:
    > I don't think a firewall can achieve this, even if it has some matching
    > options like the "limit" match in Netfilter, which permits to specify a
    > maximum number of times a rule can match in a given period, since if the
    > SYN-flood is cleverly done (ie. randomly spoofed), other valid connections
    > attempts will be also limited.

    Of course there is no single answer...

    The overall effectiveness, as another pointed out, comes down to
    bandwidth. No matter how clever you are, if the attacker can maange to
    use all available bandwidth... they win.

    If more providers properly filtered on their access devices, spoofing
    would be much less of an issue. Even with spoofing, attacks often follow
    a typical "profile".

    <aside>
    Cisco's PIX supports embryonic session limits. You can say "only allow
    each client to start X connections to host:port". If the limit is
    exceeded, the client is blocked and subsequent connections (from the same
    client, to the same host:port) are subjected to a backoff period. So you
    can limit how much damage an attacker can do from any single vantage
    point. In the typical botnet example with SYNs coming from thousands of
    sources on tens to hundreds of different networks... You can obviouslly
    still consume all available bandwidth with a good firewall configuration.
    This is very similar to using dummynet queues, netfilter's limit, etc.
    You can mitigate certain attacks, but if the bandwidth's gone it doesn't
    really matter. Effectively stopping a determined attacker often involves
    getting network providers involved.
    </aside>

    So... There are things a firewall can do... But the place to start is
    ensuring you understand as much as possible about your attacker and the
    mode of attack.

    -mrh 

    --
From: "Spam Catcher" <spam-catcher@adept.org>
To: spam-catcher@adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Brett Glass: "Re: FreeBSD firewall block syn flood attack"