From owner-freebsd-security@FreeBSD.ORG  Tue May 20 06:46:53 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0F4C337B401
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 06:46:53 -0700 (PDT)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1F80E43FCB
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 06:46:52 -0700 (PDT)	(envelope-from silby@silby.com)
Received: (qmail 90869 invoked from network); 20 May 2003 13:46:51 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 20 May 2003 13:46:51 -0000
X-pair-Authenticated: 209.68.2.70
Date: Tue, 20 May 2003 08:45:34 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: jeremie le-hen <le-hen_j@epita.fr>
In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr>
Message-ID: <20030520084338.W56510@odysseus.silby.com>
References: <BAEF3AC0.9998%ryan@mac2.net>
	<20030520095759.GA26095@carpediem.epita.fr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD firewall block syn flood attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2003 13:46:53 -0000


On Tue, 20 May 2003, jeremie le-hen wrote:

> Note that in fact, this might be achieved on your firewall (FreeBSD also
> supports syncookies), but this would imply TCP SYN to be received by the
> firewall itself, which in turn would forward the TCP connection to the
> appropriate server once the connection would be fully established.
> (I think a simple TCP tunnel with a NAT redirection to localhost should
> work.)
>
> Regards,
> --
> Jeremie aka TtZ/TataZ
> jeremie.le-hen@epita.fr

You could certainly pull that off with an application level proxy, but the
disadvantage would be that the server would no longer be able to determine
the source IP of the machines connecting to it.

It would be possible to add the syncache / syncookies to ipfw so that it
could be used to protect hosts behind it, but I don't think anyone has
tried an implementation of that yet.

Mike "Silby" Silbersack