Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Nov 1999 17:41:24 +0000
From:      Brian Somers <brian@Awfulhak.org>
To:        Mike Bush <mab@kougars.kish.cc.il.us>
Cc:        freebsd-current@FreeBSD.ORG, brian@hak.lan.Awfulhak.org
Subject:   Re: SYN Flood/DoS/PPP/ipfw 
Message-ID:  <199911021741.RAA00508@hak.lan.Awfulhak.org>
In-Reply-To: Message from Mike Bush <mab@kougars.kish.cc.il.us>  of "Fri, 29 Oct 1999 14:16:50 CDT." <Pine.GHP.4.10.9910291346050.25307-100000@kougars.kish.cc.il.us>
next in thread | previous in thread | raw e-mail | index | archive | help 
> The other day my machine was attacked with, what i believe is, a SYN
> flood. tcpdump gave me this output (1.1.1.1 is me and 2.2.2.2 is him)
> 
> 20:57:05.828276 2.2.2.2.4064 > 1.1.1.1.33948: S
> 1409055765:14090557
> 65(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.836343 2.2.2.2.4065 > 1.1.1.1.14060: S
> 1409337177:14093371
> 77(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.877668 2.2.2.2.4066 > 1.1.1.1.24418: S
> 1402287967:14022879
> 67(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> 20:57:05.878095 2.2.2.2.4067 > 1.1.1.1.63768: S
> 1395991751:13959917
> 51(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> ...
> 
> Anyways, this attack lasted for about 40 minutes and I had a firewall
> ('ipfw show' said the packets were being denied). After about 30 minutes
> my system began swapping. I looked around and found ppp (what i used to
> connect with via tun0) was now taking up 47MB of RAM and was still 
> growing. The attack didnt really effect the system load until it started
> swapping.. and then it was minimal.
> 
> So my question is.. Is this a problem with my firewall rules or a problem
> in ppp? (I run ppp with -alias) I was always under the impression that if
> you deny the SYN's where you can (or where they shouldnt be) then they
> cant cause a problem. I guess this is wrong.

I don't know of any memory leaks in ppp, but that doesn't mean much 
:-]

You could try staging the event again and doing a ppp ``show mem'' to 
see how much memory ppp things it has.....

> My system:
> CPU: pII 266
> RAM: 64MB
> SWAP: 115MB
> OS: FreeBSD-current 4.0 (Oct 20, 1999)
> 
> FreeBSD fan
> Mike

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>;                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911021741.RAA00508>