From owner-freebsd-security@FreeBSD.ORG Tue May 20 05:36:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 554EF37B401 for ; Tue, 20 May 2003 05:36:22 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id DBE8F43FAF for ; Tue, 20 May 2003 05:36:20 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 43205 invoked by uid 0); 20 May 2003 12:36:20 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.436687 secs); 20 May 2003 12:36:20 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: ryan@mac2.net,freebsd-security@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.436687 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 20 May 2003 12:36:17 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 20 May 2003 07:36:17 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3ECA2141.7804A81@dolaninformation.com> Date: Tue, 20 May 2003 07:36:17 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Ryan James References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 12:36:22 -0000 Ryan James wrote: > > Hello, > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. > > Any suggestions would be greatly appreciated. Wouldn't syn cookies help in this situation? Since the firewall is a bridge, you would have to enable syn cookies on the affected redhat box. According to this link: http://cr.yp.to/syncookies.html linux supports syn cookies. ' echo 1 > /proc/sys/net/ipv4/tcp_syncookies ' but are not enabled by default. I believe they are enabled by default on FreeBSD. :) Otherwise to use syn cookies at the firewall, the firewall would have to have syn cookies enabled(sysctl variable net.inet.tcp.syncookies) and nat the incoming traffic. I haven't done any testing of syn cookies' protection against syn floods but it is what they were designed for. :) good luck, greg