From owner-freebsd-security Fri May 14 15:13:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 9B13C154A7 for ; Fri, 14 May 1999 15:12:14 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id AAA22668; Sat, 15 May 1999 00:10:18 +0200 (CEST) Message-ID: <19990515001018.A22645@foobar.franken.de> Date: Sat, 15 May 1999 00:10:18 +0200 From: Harold Gutch To: Brett Glass , Matthew Dillon Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.37.19990514154319.04610b80@localhost>; from Brett Glass on Fri, May 14, 1999 at 03:46:19PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 14, 1999 at 03:46:19PM -0600, Brett Glass wrote: > At 10:50 PM 5/14/99 +0200, Harold Gutch wrote: > >On Fri, May 14, 1999 at 02:05:51PM -0600, Brett Glass wrote: > > > Any technique that requires the originator to receive your > > > SYN-ACK and generate a specific response before you commit > > > resources is acceptable. Heck, you don't even really need > > > a cryptographically strong hash for this. Is Linux really > > > doing one MD5 per SYN? If so, I can think of a few other > > > techniques that would give us a speed advantage. We'd be > > > able to beat them in the benchmarks while still providing > > > good protection against SYN flooding. > > > > >Ah, that's a very good point, I never thought of the > >speed-question. > > Actually, it turns out that the Linux approach requires > a minimum of two MD5's -- one at the time of the SYN > and again when the SYNner responds to the SYN-ACK. I > think there are a total of three in their algorithm. > This gives us a chance to gain a LOT of speed if we > can avoid doing all those MD5s. > Why should we do anything at all ? Our current tactic (simply dropping sockets in SYN_RCVD state) if a certain backlog fills up and another SYN comes in seems to work quite well. You'll get in trouble though if the flooder manages to flush through the complete backlog in a timeframe shorter than the 2nd and the 3rd packet of the handshake take for the way back to the client and back to the server again. Perhaps dropping a random socket is a better approach... > >But you are right - back to the original topic. I checked my > >2.2.8 boxes and flooded them with 1 Million SYN packets taking > >about 1 minute, so that's (roughly) 16000 SYNs per second. I did > >not manage to kill them with this. > > It may also depend on the complexity of your routing tables. > 1 loopback-route, 2 host routes, 2 network routes and a default-route. Not much, but I could add a number of bogus routes and try to crash the box then by SYN-flooding it. How many routes should I add ? bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message