Date: Mon, 26 Jul 2021 13:59:14 +0100 From: Norman Gray <gray@nxg.name> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Detecting or mitigating syn-flood attacks Message-ID: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name>
next in thread | raw e-mail | index | archive | help
Greetings. Can anyone point me towards best-practice guidance on detecting and mitigating syn-flood attacks, with a focus on FreeBSD? We run a login server, providing ssh access to our users, from the open internet. It's running in a jail on a FreeBSD machine. This machine (both jail and host) has recently become unresponsive on occasion, even to the extent of it being impossible to log in on the console (the password prompt never appears). Nothing in the logs. We _think_ we are (or have been) victim to a syn-flood attack, but mostly on the grounds of having ruled out most plausible alternatives: we're struggling to find positive confirmation of this. So I have two related questions: 1. What should we be looking at, to confirm or refute this hypothesis? And, supposing that the attack has stopped when we're looking, what should we be monitoring to detect such a thing if it comes back? 2. Is there a best practice document that we should be working through? The machine is in a jail, with firewall rules which are, I _think_, as restrictive as is compatible with the service's purpose of having port 22 open to the internet. A few extra observations: I thought I'd be able to find all sorts of information and guidance on this, but my google-fu seems lacking. Regarding the sshd configuration, <https://docs.freebsd.org/en/books/handbook/security/#openssh>; makes a few points, which we're already observing. The machine's sshd_config is pretty restrictive: I'm reasonably comfortable I understand the important parts of the sshd configuration, but there's always more to learn. In any case, my own uncertainty is more with the pf configuration than the sshd one. I see for example <https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-attack-nginx-go-offline.23912/>, but that's rather terse, and now 10 years old. There are of course various 'top 20 ssh best practices !1!!' documents here and there, but their recommendations, while not necessarily wrong, tend to be rather voodoo, which doesn't make me trust them much. I'm comfortable with basic pf configuration, but I haven't so far had to venture very far off-shore. I'm reluctant to type in firewall rules I don't understand (*cough*). I'm also using blacklistd on the jail host, with all its eccentricities. Best wishes, Norman -- Norman Gray : https://nxg.me.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57893A91-2180-441F-836F-66EAC526FBB8>