From owner-freebsd-security@FreeBSD.ORG Tue May 20 02:58:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 012AF37B401 for ; Tue, 20 May 2003 02:58:06 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C160743FBF for ; Tue, 20 May 2003 02:58:04 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h4K9w0m04590 for freebsd-security@freebsd.org EPITA Paris France Tue, 20 May 2003 11:58:00 +0200 (MEST) Date: Tue, 20 May 2003 11:58:00 +0200 From: jeremie le-hen To: freebsd-security@freebsd.org Message-ID: <20030520095759.GA26095@carpediem.epita.fr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 09:58:06 -0000 > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. I don't think a firewall can achieve this, even if it has some matching options like the "limit" match in Netfilter, which permits to specify a maximum number of times a rule can match in a given period, since if the SYN-flood is cleverly done (ie. randomly spoofed), other valid connections attempts will be also limited. IMHO, the only efficient way to achieve this is to use syncookies on the servers themselves. You should tell your client to set CONFIG_SYNCOOKIES in their Linux kernel (in fact, in RedHat, it should already be the case, at least if the kernel is recent enough), and then to turn it on with: echo 1 >/proc/sys/net/ipv4/tcp_syncookies Here is a description of this sysctl: tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured. Note that in fact, this might be achieved on your firewall (FreeBSD also supports syncookies), but this would imply TCP SYN to be received by the firewall itself, which in turn would forward the TCP connection to the appropriate server once the connection would be fully established. (I think a simple TCP tunnel with a NAT redirection to localhost should work.) Regards, -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr