From owner-freebsd-questions@freebsd.org  Mon Jul 26 12:59:25 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4C7AD66BD87
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 26 Jul 2021 12:59:25 +0000 (UTC) (envelope-from gray@nxg.name)
Received: from smtp99.ord1c.emailsrvr.com (smtp99.ord1c.emailsrvr.com
 [108.166.43.99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GYKkh3sZ2z4Sfb
 for <freebsd-questions@freebsd.org>; Mon, 26 Jul 2021 12:59:24 +0000 (UTC)
 (envelope-from gray@nxg.name)
X-Auth-ID: gray@nxg.name
Received: by smtp13.relay.ord1c.emailsrvr.com (Authenticated sender:
 gray-AT-nxg.name) with ESMTPSA id BE9A7A0158; 
 Mon, 26 Jul 2021 08:59:16 -0400 (EDT)
From: Norman Gray <gray@nxg.name>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Detecting or mitigating syn-flood attacks
Date: Mon, 26 Jul 2021 13:59:14 +0100
X-Mailer: MailMate (1.14r5769)
Message-ID: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Classification-ID: f54f84af-2f4f-4de1-adea-ac2580ded647-1-1
X-Rspamd-Queue-Id: 4GYKkh3sZ2z4Sfb
X-Spamd-Bar: +++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of gray@nxg.name designates 108.166.43.99 as
 permitted sender) smtp.mailfrom=gray@nxg.name
X-Spamd-Result: default: False [3.20 / 15.00]; ARC_NA(0.00)[];
 RWL_MAILSPIKE_VERYGOOD(0.00)[108.166.43.99:from];
 FROM_HAS_DN(0.00)[]; R_MISSING_CHARSET(2.50)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 R_SPF_ALLOW(-0.20)[+ip4:108.166.43.0/24];
 DMARC_NA(0.00)[nxg.name]; RCPT_COUNT_ONE(0.00)[1];
 TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[108.166.43.99:from];
 NEURAL_SPAM_SHORT(1.00)[1.000]; RCVD_COUNT_ZERO(0.00)[0];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:19994, ipnet:108.166.0.0/18, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 12:59:25 -0000


Greetings.

Can anyone point me towards best-practice guidance on detecting and =

mitigating syn-flood attacks, with a focus on FreeBSD?

We run a login server, providing ssh access to our users, from the open =

internet.   It's running in a jail on a FreeBSD machine.  This machine =

(both jail and host) has recently become unresponsive on occasion, even =

to the extent of it being impossible to log in on the console (the =

password prompt never appears).  Nothing in the logs.  We _think_ we are =

(or have been) victim to a syn-flood attack, but mostly on the grounds =

of having ruled out most plausible alternatives: we're struggling to =

find positive confirmation of this.

So I have two related questions:

1. What should we be looking at, to confirm or refute this hypothesis?  =

And, supposing that the attack has stopped when we're looking, what =

should we be monitoring to detect such a thing if it comes back?

2. Is there a best practice document that we should be working through?  =

The machine is in a jail, with firewall rules which are, I _think_, as =

restrictive as is compatible with the service's purpose of having port =

22 open to the internet.

A few extra observations:

I thought I'd be able to find all sorts of information and guidance on =

this, but my google-fu seems lacking.

Regarding the sshd configuration, =

<https://docs.freebsd.org/en/books/handbook/security/#openssh> makes a =

few points, which we're already observing.  The machine's sshd_config is =

pretty restrictive: I'm reasonably comfortable I understand the =

important parts of the sshd configuration, but there's always more to =

learn.  In any case, my own uncertainty is more with the pf =

configuration than the sshd one.

I see for example =

<https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-atta=
ck-nginx-go-offline.23912/>, =

but that's rather terse, and now 10 years old.

There are of course various 'top 20 ssh best practices !1!!' documents =

here and there, but their recommendations, while not necessarily wrong, =

tend to be rather voodoo, which doesn't make me trust them much.

I'm comfortable with basic pf configuration, but I haven't so far had to =

venture very far off-shore.  I'm reluctant to type in firewall rules I =

don't understand (*cough*).

I'm also using blacklistd on the jail host, with all its eccentricities.

Best wishes,

Norman


-- =

Norman Gray  :  https://nxg.me.uk