Re: SYN Attacks - how i cant stop it
From: Spades (spades_at_galaxynet.org)
To: <email@example.com> Date: Fri, 13 Feb 2004 22:35:20 +0800
I got this error when i tried to type for some of those.
"sysctl: unknown oid...." any idea..
my server seems to be very lagged, where else
the network connection seems fine, i think BSD
itself as my other redhat box is fine.
What else can i do to get optimum protection.
----- Original Message -----
From: "Per Engelbrecht" <firstname.lastname@example.org>
Sent: Saturday, February 07, 2004 5:58 PM
Subject: Re: SYN Attacks - how i cant stop it
> > all nights. Check this.
> > Feb 6 11:54:24 TCP: port scan detected [port 6667] from
> > 188.8.131.52 [ports 63432,63453,63466,63499,63522,...]
> > Feb 6 11:58:09 TCP: port scan mode expired for 184.108.40.206 -
> It's hard to get rid of shit-heads like this - I'm talking about the
> person doing this attac, that is.
> You send a looong output of a log, but no info on your system or any
> adjustments you have made (or not made) on your system i.e. kernel
> (options), sysctl (tweaks) and ipfw (rules).
> If the problem is out-of-bandwith (and your system already has been
> optimized) then the only real solution is more 'pipe' a.k.a the
> So fare I've only been guessing, but here is what I normally do with my
> setup. I'm not telling you that this is the solution! just adwises!
> options SC_DISABLE_REBOOT
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPDIVERT
> options IPFILTER
> options IPFILTER_LOG
> options IPSTEALTH (don't touch the ttl/can't see the wall)
> options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner)
> options RANDOM_IP_ID (hard to do calculate ip frekv. number)
> options DUMMYNET (e.g. 40% for web, 30% for mail and so on)
> options DEVICE_POLLING (can't do this short and not with SMP)
> options HZ=1000 (can't do this short and not with SMP)
> kern.ipc.somaxconn=1024 #this is set high!
> kern.ipc.nmbclusters=65536 #this is set high!
> kern.polling.enable=1 #remember kernel options
> kern.polling.user_frac=50>90 #remember kernel options
> (if you use dynamic rules in ipfw [stateful] you can tweak this)
> net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection
> net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp
> net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules
> net.inet.ip.fw.dyn_count: #count of number of dynamic rules
> There's a zillion ways to set it up. start with a few rules regarding
> lo0 and icmp. Then use stateful inspection and dynamic rules for the
> rest of the wall.
> ... and by the way, I could see that a few of the scan came from RIPE
> ranges. Do some digging and report it!
> Even if the boxes are use without the owners awareness, you can [we all
> can] bring this part to an end.
> email@example.com mailing list
> To unsubscribe, send any mail to
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"