From owner-freebsd-security Sun Dec 3 21:23: 1 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 3 21:22:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from reddog.yi.org (cg632877-a.adubn1.nj.home.com [24.12.124.217]) by hub.freebsd.org (Postfix) with ESMTP id ADB3537B401 for ; Sun, 3 Dec 2000 21:22:57 -0800 (PST) Received: by reddog.yi.org (Postfix, from userid 1001) id 024F4D22D; Sun, 3 Dec 2000 19:28:02 -0500 (EST) Date: Sun, 3 Dec 2000 19:28:02 -0500 From: spectre To: Holtor Cc: freebsd-security@freebsd.org Subject: Re: Rate Limiting syn-ack's Message-ID: <20001203192802.A3502@reddog.yi.org> References: <20001203012802.25514.qmail@web116.yahoomail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001203012802.25514.qmail@web116.yahoomail.com>; from holtor@yahoo.com on Sat, Dec 02, 2000 at 05:28:02PM -0800 Sender: pika@reddog.yi.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 02, 2000 at 05:28:02PM -0800, Holtor wrote: > Hi all, > > Is there anyway I can limit outgoing syn-ack packets > my computer sends? I had a large syn flood which was > about 7 mbps incomming. The server also sent 7 mbps > outgoing to reply to those syn's. How can i stop that > or somehow rate limit to maybe 500 kbps or 1 mbps? > > I'm not able to find an option to do this using ipfw > and/or dummynet. > > Thanks. > > Holt Hello, I think you should be looking at denying denying incoming SYN packets instead of denying outoing SYN+ACK. There's lots of discussion going on about preventing SYN flooding and the general class thereof that's meant to consume network resources (look at CERT CA-2000-21). Basically the question comes down to: how to distinguish the valid SYNs from the invalid ones. And I for one don't know of a way to do this. What you *might* look into is something like: ipfw add pipe 10 tcp from any to any in setup ipfw pipe 10 config bw 1Mbit/s queue 150KBytes or if you could have a service that looks at how much traffic (SYNs) you are getting and then adds rules like: ipfw add pipe 20 tcp from any to any in setup ipfw pipe 10 config bw 5Mbit/s queue 150Kbytes plr 0.03 If you *must* doing outoing SYN-ACK, then just look at the first example given, and replace 'in' with 'out', and 'setup' with 'tcpflags syn,ack'. Again the problem is, how do you limit those 1Mbit/s incoming SYNs to _valid_ ones. I don't know of any good way. Perhaps you can look at this as another form of a bandwidth saturation attack, which, there really is no defense against without the help of your ISP. P.S. I thought this off the top of my head, so consule man ipfw, and note that this doesn't handle fragments. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message