Syn Flood defense results oddity

From: Steve Francis (steve@expertcity.com)
Date: 09/06/01


Message-ID: <3B979B86.24DDC213@expertcity.com>
Date: Thu, 06 Sep 2001 08:51:34 -0700
From: Steve Francis <steve@expertcity.com>
To: FOCUS-SUN@SECURITYFOCUS.COM, secure-sol@lists.parc.xerox.com
Subject: Syn Flood defense results oddity

I just tested some systems for resilience against SYN floods, and got
some interesting results.

An ultra 10 (with core Solaris 8 installation, recent patches, and YASSP
installed (which increases tcp_conn_req_max_q0, etc) could tolerate only
up to 6285 Kbps, 12200 SYN packets per second, to a non-listening port,
regardless of whether inetd
was running.

(At that level, its CPU was 100% in the kernel, and it stopped
responding to anything until the flood stopped.)

It could tolerate up to 21863 Kbps, 42600 packets per second when the
SYN's were targetted to a port that the system was listening on. (didn't
matter if it was ssh or smtp or what.) (Presumably performance is better
on a listening port as it doesnt have to RESET every connection attempt)

For comparison, a cisco 7200 with NPE-300 configured for TCP Intercept
and CEF reached 100% CPU at 7252 Kbps -14100 packets per second.

So it seems the best defense it to not use TCP Intercept in the router,
but make sure the router filters all traffic bound for ports that aren't
listening on the Solaris machines.

However, I am puzzled by two things:

- I never got any of the TCP counters that are supposed to warn of SYN
problems to increment.
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 4239
Do these counters work in Solaris 8? Possibly they need some specific
package added to make them work (which seems very odd)

- I also never got a kernel message of the sort "WARN port XXX may be
under attack!" which I have seen before (but never when I have actually
been under attack.)



Relevant Pages

  • Re: Port scan from Apache?
    ... i believe that people who deployed netscreen are quite sure in what they are doing and a friendly notice should not sound like a complaint to u but instead ... port scans on their firewall machine. ... Does anyone know when the NetScreen hardware / software labels ... We had a client that was being bombarded with a SYN flood on port 80, ...
    (FreeBSD-Security)
  • Re: Port scan from Apache?
    ... The company rep told me that the scan was originating at port 80 with destination port 8254 on their machine. ... I'm using ipfw as a firewall where everything is denied except for a rather tight permitting ruleset that allows communication to/from port 80/443 on my machine but not to the destination port 8254. ... As far as I can tell, the server is free of malicious code, I especially looked for PHP files belonging to freely available port scanners etc.; ... However all the IP's that were sending the SYN flood were spoofed, and we were getting complains left right and center of this customer DoSing or port scanning other customers. ...
    (FreeBSD-Security)