Date: Sun, 12 Dec 1999 15:23:08 -0500 From: "Greg Prosser" <greg@snickers.org> To: <freebsd-questions@freebsd.org> Subject: SYN Hardening patches? / SYN Code in 3.4-RC Message-ID: <NDBBKDPPPIAOMPHNGECCCEPKCBAA.greg@snickers.org>
next in thread | raw e-mail | index | archive | help
Hey guys, sorry to throw off your weekends, but I have a few quick questions that I'd like answers to, and searches turn up fairly little. First of all, I operate a machine that frequently comes under heavy denial of service attacks, which often include SYN attacks. This often causes kernel panics and reboots with messages logged as '/kernel: Out of mbuf clusters - adjust NMBCLUSTERS or increase maxusers!'. I had maxusers at 256 at that point, and had 'options NMBCLUSTERS=2048' in the kernel as well -- it still failed. I'm hoping that increasing maxusers to 512, and bumping NMBCLUSTERS to 4096 is going to provide some help, but somehow I doubt it. (1MB/s of SYN packets coming in does not fare well, and the unplanned boots are wreaking havok on my filesystems). I don't know what mbuf clusters even are, so any light on the situation there could help too. As far as I've found, mbuf clusters are simply the 'backlog' created by sending syn packets? For open sockets and the like.. I've explored LINT, and come across these options: # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST I added the second to the last kernel that did fault, and omitted the first because we do run a webserver, and it just had that spooky sound with it that rm -rf / gives off :) I've also come across a patch posted to a mailing list for FreeBSD 3.1, for SYN_RATELIM'ing, sounds like this could also help. (http://www2.merton.ox.ac.uk/~security/archive-199905/0282.html) I'm at a complete loss for what to do here -- I'd like the reboots to stop. Any help you could give me at all would be appreciated, whacks with clue-by-fours aren't that bad either. Thanks in advance! . . . ... .. . .. .... . x y s t @ s t r a y n e t . c o m __ senior administrator, straynet online .--.--.--.--.-----.| |_ it was designed to do that. honest. |_ _| | |__ --|| _| icq: 10405504 aol im: xysters |__.__|___ |_____||____| |_____| Jennifer Lopez? -- Now THAT's big endian! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBKDPPPIAOMPHNGECCCEPKCBAA.greg>