From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 01:55:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE9D16A4CE for ; Sat, 7 Feb 2004 01:55:05 -0800 (PST) Received: from mailbox.wingercom.dk (mailbox.wingercom.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2108543D2F for ; Sat, 7 Feb 2004 01:55:05 -0800 (PST) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id 3119C93212; Sat, 7 Feb 2004 10:58:49 +0100 (CET) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Sat, 7 Feb 2004 10:58:49 +0100 (CET) Message-ID: <32969.62.242.151.142.1076147929.squirrel@mailbox.wingercom.dk> Date: Sat, 7 Feb 2004 10:58:49 +0100 (CET) From: "Per Engelbrecht" To: In-Reply-To: <1076133554.40247eb21c430@webmail.icenetworks.com> References: <1076133554.40247eb21c430@webmail.icenetworks.com> X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 09:55:05 -0000 Hi, > all nights. Check this. > > Feb 6 11:54:24 TCP: port scan detected [port 6667] from > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...] > Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - It's hard to get rid of shit-heads like this - I'm talking about the person doing this attac, that is. You send a looong output of a log, but no info on your system or any adjustments you have made (or not made) on your system i.e. kernel (options), sysctl (tweaks) and ipfw (rules). If the problem is out-of-bandwith (and your system already has been optimized) then the only real solution is more 'pipe' a.k.a the Microsoft-solution. So fare I've only been guessing, but here is what I normally do with my setup. I'm not telling you that this is the solution! just adwises! Kernel; options SC_DISABLE_REBOOT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options IPFILTER options IPFILTER_LOG options IPSTEALTH (don't touch the ttl/can't see the wall) options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) options RANDOM_IP_ID (hard to do calculate ip frekv. number) options DUMMYNET (e.g. 40% for web, 30% for mail and so on) options DEVICE_POLLING (can't do this short and not with SMP) options HZ=1000 (can't do this short and not with SMP) Sysctl; kern.ipc.somaxconn=1024 #this is set high! kern.ipc.nmbclusters=65536 #this is set high! kern.polling.enable=1 #remember kernel options kern.polling.user_frac=50>90 #remember kernel options net.xorp.polling=1 net.xorp.poll_burst=10 net.xorp.poll_in_trap=3 (if you use dynamic rules in ipfw [stateful] you can tweak this) net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection net.inet.ip.fw.dyn_syn_lifetime=20 net.inet.ip.fw.dyn_fin_lifetime=20 net.inet.ip.fw.dyn_rst_lifetime=5 net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules net.inet.ip.fw.dyn_count: #count of number of dynamic rules ipfw; There's a zillion ways to set it up. start with a few rules regarding lo0 and icmp. Then use stateful inspection and dynamic rules for the rest of the wall. ... and by the way, I could see that a few of the scan came from RIPE ranges. Do some digging and report it! Even if the boxes are use without the owners awareness, you can [we all can] bring this part to an end. respectfully /per per@xterm.dk