Re: SYN Attacks - how i cant stop it

From: Anton Alin-Adrian (aanton_at_reversedhell.net)
Date: 02/13/04

  • Next message: Jacques A. Vidrine: "Re: XFree86 Font Information File Buffer Overflow"
    Date: Fri, 13 Feb 2004 18:33:14 +0200
    To: freebsd-questions@freebsd.org
    
    

    JJB wrote:
    > You talk about the net.inet.tcp.syncookies=1 knob,
    > how about an description on what it does and why you
    > are recommending using it.

    The net.inet.tcp.syncookies 'knob', if set to 1, enables syn cookies.
    Syn cookies were invented specifically for syn flood protection. A brief
    description of syncookies idea can be read here:

    http://cr.yp.to/syncookies.html

    > How would one go about mirroring back the attackers
    > syn packets to port 80 or 22?
    > Please describe this easy method of yours.
    >

    Mirroring back packets to the attacker is, first of all, a nasty thing.
    Secondly, it is only possible if the attacker's IP is known. If it is
    not known, then obviously it's not possible.

    Knowing the attacker's IP does not necessarly mean that he is performing
    the current attacks from that IP.

    Packet redirection with ipfw is done using divert sockets. One needs to
    have it compiled into the kernel. Divert sockets are also used by ipfw
    nat redirection. It's all in the man pages of ipfw.

    If the flood is severly intense (from the point of stack memory
    exhaution), it might be a good improvement to drop 5% of incoming SYN
    packets. This can also be done with ipfw, and is described in the manual
    pages. However, I don't think one would ever come to this.

    Asking the ISP to put the server behind a decent cisco router, and
    implement syn cookies on hardware devices, is the best protection.

    -- 
    Alin-Adrian Anton
    Reversed Hell Networks
    GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E)
    gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Jacques A. Vidrine: "Re: XFree86 Font Information File Buffer Overflow"

    Relevant Pages

    • Re: SYN Attacks - how i cant stop it
      ... Syn cookies were invented specifically for syn flood protection. ... Mirroring back packets to the attacker is, first of all, a nasty thing. ... Packet redirection with ipfw is done using divert sockets. ...
      (freebsd-questions)
    • Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release
      ... I prefer IPFW myself, but you probably ran out of stateful rule slots. ... are talking about a SYN flood, in which case make sure that SYN cookies and ...
      (freebsd-net)
    • Re: Kernel code of reseting/ignoring tcp SYN packets
      ... > I was looking around for the files of Kernel code where SYN messages are sent, ... > so we can simply inject some code to send back a reset messages or ignore the SYN requests. ... You should probably simply look at ipfw... ...
      (freebsd-hackers)
    • Re: Ideas? Port 21 SYNs, slow
      ... When I stopped returning packets to that IP, ... or are watching for a change in the response. ... >there is no way on God's green earth for them to be backscatter. ... >Because there is no TCP request packet that RESULTS in a SYN packet. ...
      (Incidents)
    • Re: Ideas? Port 21 SYNs, slow
      ... When I stopped returning packets to that IP, ... >>> You are probably seeing backscatter from a DDoS attack. ... >>there is no way on God's green earth for them to be backscatter. ... >>Because there is no TCP request packet that RESULTS in a SYN packet. ...
      (Incidents)