Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 3 Dec 2000 19:28:02 -0500
From:      spectre <ai32@drexel.edu>
To:        Holtor <holtor@yahoo.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Rate Limiting syn-ack's
Message-ID:  <20001203192802.A3502@reddog.yi.org>
In-Reply-To: <20001203012802.25514.qmail@web116.yahoomail.com>; from holtor@yahoo.com on Sat, Dec 02, 2000 at 05:28:02PM -0800
References:  <20001203012802.25514.qmail@web116.yahoomail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Dec 02, 2000 at 05:28:02PM -0800, Holtor wrote:
> Hi all,
> 
> Is there anyway I can limit outgoing syn-ack packets
> my computer sends? I had a large syn flood which was
> about 7 mbps incomming. The server also sent 7 mbps
> outgoing to reply to those syn's. How can i stop that
> or somehow rate limit to maybe 500 kbps or 1 mbps?
> 
> I'm not able to find an option to do this using ipfw
> and/or dummynet.
> 
> Thanks.
> 
> Holt

Hello,

I think you should be looking at denying denying incoming
SYN packets instead of denying outoing SYN+ACK.

There's lots of discussion going on about preventing SYN
flooding and the general class thereof that's meant to
consume network resources (look at CERT CA-2000-21).

Basically the question comes down to: how to distinguish the
valid SYNs from the invalid ones.  And I for one don't
know of a way to do this.

What you *might* look into is something like:

  ipfw add pipe 10 tcp from any to any in setup
  ipfw pipe 10 config bw 1Mbit/s queue 150KBytes

or if you could have a service that looks at how much
traffic (SYNs) you are getting and then adds rules
like:
  
  ipfw add pipe 20 tcp from any to any in setup
  ipfw pipe 10 config bw 5Mbit/s queue 150Kbytes plr 0.03 

If you *must* doing outoing SYN-ACK, then just look
at the first example given, and replace 'in' with
'out', and 'setup' with 'tcpflags syn,ack'.

Again the problem is, how do you limit those 1Mbit/s
incoming SYNs to _valid_ ones.  I don't know of any good
way.  Perhaps you can look at this as another form of a
bandwidth saturation attack, which, there really is no
defense against without the help of your ISP.


P.S. I thought this off the top of my head, so consule
     man ipfw, and note that this doesn't handle
     fragments.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001203192802.A3502>