Re: SYN Attacks - how i cant stop it

From: Spades (spades_at_galaxynet.org)
Date: 02/13/04

  • Next message: Anton Alin-Adrian: "Re: SYN Attacks - how i cant stop it" 
    To: <freebsd-questions@freebsd.org>
Date: Fri, 13 Feb 2004 22:35:20 +0800

    Hi,

    I got this error when i tried to type for some of those.
    "sysctl: unknown oid...." any idea..

    my server seems to be very lagged, where else
    the network connection seems fine, i think BSD
    itself as my other redhat box is fine.

    What else can i do to get optimum protection.

    Thanks.

    ----- Original Message -----
    From: "Per Engelbrecht" <per@xterm.dk>
    To: <jhernandez@progrexive.com>
    Cc: <freebsd-security@freebsd.org>
    Sent: Saturday, February 07, 2004 5:58 PM
    Subject: Re: SYN Attacks - how i cant stop it

    > Hi,
    >
    > <snip>
    > > all nights. Check this.
    > >
    > > Feb 6 11:54:24 TCP: port scan detected [port 6667] from
    > > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...]
    > > Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 -
    > <snip>
    >
    >
    > It's hard to get rid of shit-heads like this - I'm talking about the
    > person doing this attac, that is.
    > You send a looong output of a log, but no info on your system or any
    > adjustments you have made (or not made) on your system i.e. kernel
    > (options), sysctl (tweaks) and ipfw (rules).
    > If the problem is out-of-bandwith (and your system already has been
    > optimized) then the only real solution is more 'pipe' a.k.a the
    > Microsoft-solution.
    > So fare I've only been guessing, but here is what I normally do with my
    > setup. I'm not telling you that this is the solution! just adwises!
    >
    > Kernel;
    > options SC_DISABLE_REBOOT
    > options IPFIREWALL
    > options IPFIREWALL_VERBOSE
    > options IPFIREWALL_VERBOSE_LIMIT=100
    > options IPDIVERT
    > options IPFILTER
    > options IPFILTER_LOG
    > options IPSTEALTH (don't touch the ttl/can't see the wall)
    > options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner)
    > options RANDOM_IP_ID (hard to do calculate ip frekv. number)
    > options DUMMYNET (e.g. 40% for web, 30% for mail and so on)
    > options DEVICE_POLLING (can't do this short and not with SMP)
    > options HZ=1000 (can't do this short and not with SMP)
    >
    > Sysctl;
    > kern.ipc.somaxconn=1024 #this is set high!
    > kern.ipc.nmbclusters=65536 #this is set high!
    > kern.polling.enable=1 #remember kernel options
    > kern.polling.user_frac=50>90 #remember kernel options
    > net.xorp.polling=1
    > net.xorp.poll_burst=10
    > net.xorp.poll_in_trap=3
    > (if you use dynamic rules in ipfw [stateful] you can tweak this)
    > net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection
    > net.inet.ip.fw.dyn_syn_lifetime=20
    > net.inet.ip.fw.dyn_fin_lifetime=20
    > net.inet.ip.fw.dyn_rst_lifetime=5
    > net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp
    > net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules
    > net.inet.ip.fw.dyn_count: #count of number of dynamic rules
    >
    > ipfw;
    > There's a zillion ways to set it up. start with a few rules regarding
    > lo0 and icmp. Then use stateful inspection and dynamic rules for the
    > rest of the wall.
    >
    > ... and by the way, I could see that a few of the scan came from RIPE
    > ranges. Do some digging and report it!
    > Even if the boxes are use without the owners awareness, you can [we all
    > can] bring this part to an end.
    >
    > respectfully
    > /per
    > per@xterm.dk
    >
    >
    >
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to
    "freebsd-security-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Anton Alin-Adrian: "Re: SYN Attacks - how i cant stop it"

    Relevant Pages

    • Re: SYN Attacks - how i cant stop it
      ... "sysctl: unknown oid...." ... Then use stateful inspection and dynamic rules for the ... > rest of the wall. ... To unsubscribe, ...
      (freebsd-questions)
    • Re: Help with high LA
      ... If I stop pop3 and apache services, ... Maximum number of dynamic rules. ... but a tryed to rise the number of dynamic buckets via sysctl: ...
      (freebsd-questions)
    • RE: kswapd issue
      ... What I was missing earlier was "did not run sysctl -p" after changing ... damage you may sustain as a result of any virus in this e-mail. ... Infosys reserves the right to monitor and review the content ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
      (RedHat)
    • Re: Problem Tuning Maxsockets
      ... > I am trying to alter the number of maxsockets allocated from the default ... > operation via sysctl I'm informed the oid is read ... To unsubscribe, ...
      (freebsd-questions)
    • Re: Routing RH 8
      ... General Red Hat Linux discussion list ... to 1 and then run sysctl manually to set it for the active session ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
      (RedHat)