From owner-freebsd-security  Fri May 14 15:15:41 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 828C91531E
	for <security@FreeBSD.ORG>; Fri, 14 May 1999 15:15:38 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA29117;
	Fri, 14 May 1999 16:14:55 -0600 (MDT)
Message-Id: <4.2.0.37.19990514161228.046541f0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta)
Date: Fri, 14 May 1999 16:14:48 -0600
To: Harold Gutch <logix@foobar.franken.de>,
	Matthew Dillon <dillon@apollo.backplane.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
Cc: Jared Mauch <jared@puck.Nether.net>,
	Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
In-Reply-To: <19990515001018.A22645@foobar.franken.de>
References: <4.2.0.37.19990514154319.04610b80@localhost>
 <199905140438.VAA97604@apollo.backplane.com>
 <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com>
 <4.2.0.37.19990513161529.00c1e3f0@localhost>
 <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com>
 <4.2.0.37.19990513202450.0444fca0@localhost>
 <199905140438.VAA97604@apollo.backplane.com>
 <19990514072546.A20779@foobar.franken.de>
 <4.2.0.37.19990514133829.0461e220@localhost>
 <19990514225001.A22317@foobar.franken.de>
 <4.2.0.37.19990514154319.04610b80@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:10 AM 5/15/99 +0200, Harold Gutch wrote:

 >Why should we do anything at all ? Our current tactic (simply
>dropping sockets in SYN_RCVD state) if a certain backlog fills up
>and another SYN comes in seems to work quite well. You'll get in
>trouble though if the flooder manages to flush through the
>complete backlog in a timeframe shorter than the 2nd and the 3rd
>packet of the handshake take for the way back to the client and
>back to the server again.

You can still mount an effective DoS with a SYN flood by killing a
LARGE percentage of the new connections to the box.

 > It may also depend on the complexity of your routing tables.
> >
>1 loopback-route, 2 host routes, 2 network routes and a
>default-route. Not much, but I could add a number of bogus routes
>and try to crash the box then by SYN-flooding it.
>
>How many routes should I add ?

I'm not sure. It also may depend on whether the table is in flux.
See the original BUGTRAQ message which points out the bug.

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message