From owner-freebsd-current  Tue Nov  2 17:51:49 1999
Delivered-To: freebsd-current@freebsd.org
Received: from awfulhak.org (dynamic-15.max1-du-ws.dialnetwork.pavilion.co.uk [212.74.8.15])
	by hub.freebsd.org (Postfix) with ESMTP id 876C2154CB
	for <freebsd-current@FreeBSD.ORG>; Tue,  2 Nov 1999 17:51:39 -0800 (PST)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12])
	by awfulhak.org (8.9.3/8.9.3) with ESMTP id BAA03527;
	Wed, 3 Nov 1999 01:51:34 GMT
	(envelope-from brian@lan.awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1])
	by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id RAA00508;
	Tue, 2 Nov 1999 17:41:24 GMT
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <199911021741.RAA00508@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.1.0 09/18/1999
To: Mike Bush <mab@kougars.kish.cc.il.us>
Cc: freebsd-current@FreeBSD.ORG, brian@hak.lan.Awfulhak.org
Subject: Re: SYN Flood/DoS/PPP/ipfw 
In-Reply-To: Message from Mike Bush <mab@kougars.kish.cc.il.us> 
   of "Fri, 29 Oct 1999 14:16:50 CDT." <Pine.GHP.4.10.9910291346050.25307-100000@kougars.kish.cc.il.us> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 02 Nov 1999 17:41:24 +0000
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> The other day my machine was attacked with, what i believe is, a SYN
> flood. tcpdump gave me this output (1.1.1.1 is me and 2.2.2.2 is him)
> 
> 20:57:05.828276 2.2.2.2.4064 > 1.1.1.1.33948: S
> 1409055765:14090557
> 65(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.836343 2.2.2.2.4065 > 1.1.1.1.14060: S
> 1409337177:14093371
> 77(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.877668 2.2.2.2.4066 > 1.1.1.1.24418: S
> 1402287967:14022879
> 67(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> 20:57:05.878095 2.2.2.2.4067 > 1.1.1.1.63768: S
> 1395991751:13959917
> 51(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> ...
> 
> Anyways, this attack lasted for about 40 minutes and I had a firewall
> ('ipfw show' said the packets were being denied). After about 30 minutes
> my system began swapping. I looked around and found ppp (what i used to
> connect with via tun0) was now taking up 47MB of RAM and was still 
> growing. The attack didnt really effect the system load until it started
> swapping.. and then it was minimal.
> 
> So my question is.. Is this a problem with my firewall rules or a problem
> in ppp? (I run ppp with -alias) I was always under the impression that if
> you deny the SYN's where you can (or where they shouldnt be) then they
> cant cause a problem. I guess this is wrong.

I don't know of any memory leaks in ppp, but that doesn't mean much 
:-]

You could try staging the event again and doing a ppp ``show mem'' to 
see how much memory ppp things it has.....

> My system:
> CPU: pII 266
> RAM: 64MB
> SWAP: 115MB
> OS: FreeBSD-current 4.0 (Oct 20, 1999)
> 
> FreeBSD fan
> Mike

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message