From owner-freebsd-security  Thu May 13 19:40:13 1999
Delivered-To: freebsd-security@freebsd.org
Received: from puck.nether.net (puck.nether.net [204.42.254.5])
	by hub.freebsd.org (Postfix) with ESMTP id 2932A1541B
	for <security@FreeBSD.ORG>; Thu, 13 May 1999 19:40:10 -0700 (PDT)
	(envelope-from jared@puck.nether.net)
Received: (from jared@localhost)
	by puck.nether.net (8.9.3/8.7.3) id WAA25919;
	Thu, 13 May 1999 22:40:39 -0400
	(envelope-from jared)
Date: Thu, 13 May 1999 22:40:39 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Brett Glass <brett@lariat.org>
Cc: Jared Mauch <jared@puck.Nether.net>,
	Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
Message-ID: <19990513224039.A25812@puck.nether.net>
Mail-Followup-To: Brett Glass <brett@lariat.org>,
	Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
References: <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <19990513222133.A23982@puck.nether.net> <4.2.0.37.19990513202450.0444fca0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <4.2.0.37.19990513202450.0444fca0@localhost>; from Brett Glass on Thu, May 13, 1999 at 08:29:38PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, May 13, 1999 at 08:29:38PM -0600, Brett Glass wrote:
> How often are the IP addresses spoofed during SYN floods? (I know

	Most often, that's why you get your syn-ack holding queue
so large, you ack the forged syn, making it impossible to
get the rest of the tcp handshake going, as there is no machine,
therefore hogging your system resources.

> it's perfectly practical to do so, since the flooder doesn't
> care about responses, but routers may preclude it.)
> 
> It could be that discarding SYNS from addresses that send excessive 
> numbers of them would let the legitimate folk keep working.

	Yes, this would be good.

> As a backup, there could also be a random discard mechanism.

	This is necessary for the syn-attack issue, or at least
something pseudo-random, for both the syn-q and the syn-ack-q

	- jared

> At 10:21 PM 5/13/99 -0400, Jared Mauch wrote:
> >         What would be ideal is to have a fair-queue such as this:
> >
> >         real-queue = 16 
> >         extended-queue = 32
> >
> >         once the real-queue fills with syns, fill the extended
> >queue, (these are folks that need syn-ack, btw), once the
> >extended queue fills, begin sequentially dropping elements from the
> >real-queue
> >
> >         index++;
> >         index = index%16;
> >         drop(real_q[index]);
> >         move(real_q[index], extend_q[index]);
> >         (making extend_q[index] avail for the current syn to be put in)
> >
> >         and sequentially add elements from index on
> >
> >         if there is nothing in extend_q[index], you should not need 
> >to drop real_q[index]
> >
> >         (I picked 16 & 32 as arbitary numbers, those can obviously
> >be any size, preferably equal);
> >         
> >         Obviously, doing prefered drops (based on dst port on our side),
> >ie: we have 200 syns for port 80, but only 3 for port 22, deal with the
> >3 that are not causing a problem first, so we can get ssh in, but let the
> >web folks go a bit slower.
> >
> >         Doing truly random drops are always better, but on the average server
> >will induce more load than you'll save (IMHO).
> >
> >         - jared
> >         
> >On Thu, May 13, 1999 at 06:27:13PM -0700, Thamer Al-Herbish wrote:
> > > On Thu, 13 May 1999, Brett Glass wrote:
> > > 
> > > > available (default to 100). This is the maximium number of SYNs per second
> > > > that will be processed, the rest will be silently discarded. On my test
> > > 
> > > If I'm reading this correctly, it would not be very effective. I
> > > believe the OpenBSD fix was to randomly drop ports per a syn flooded
> > > port. So it would be "fair." Dropping all SYNs after a number of SYNs
> > > come in seems to be counter productive.
> > > 
> > > Or does this actually work?
> > > 
> > > --
> > > Thamer Al-Herbish                     PGP public key:
> > > shadows@whitefang.com                 http://www.whitefang.com/pgpkey.txt
> > > [ The Secure UNIX Programming FAQ     http://www.whitefang.com/sup/  ]
> > > 
> > > 
> > > 
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >-- 
> >Jared Mauch  | pgp key available via finger from jared@puck.nether.net
> >clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message