From owner-freebsd-questions@FreeBSD.ORG Fri Feb 13 07:51:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE8A16A4CE; Fri, 13 Feb 2004 07:51:17 -0800 (PST) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02FB843D1D; Fri, 13 Feb 2004 07:51:17 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.119]) by mta13.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040213155109.KJWT28190.mta13.adelphia.net@barbish>; Fri, 13 Feb 2004 10:51:09 -0500 From: "JJB" To: "Anton Alin-Adrian" , Date: Fri, 13 Feb 2004 10:51:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <402CECD8.7020906@reversedhell.net> Importance: Normal cc: freebsd-security@freebsd.org Subject: RE: SYN Attacks - how i cant stop it X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 15:51:17 -0000 You talk about the net.inet.tcp.syncookies=1 knob, how about an description on what it does and why you are recommending using it. How would one go about mirroring back the attackers syn packets to port 80 or 22? Please describe this easy method of yours. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Anton Alin-Adrian Sent: Friday, February 13, 2004 10:27 AM To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it Most important, you did turn on syncookies, did you not? FreeBSD is pretty immune to syn floods. As for out of bandwidth, this has to do with your uplink and how much you pay for your traffic. root# sysctl net.inet.tcp.syncookies If it is not set to one, then do: root# sysctl net.inet.tcp.syncookies=1 Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1. A reboot would clear the tcp stack. You can't reboot remotely if kernel securelevel is enabled in /etc/rc.conf. If you don't have firewall support compiled in the kernel, kldload ipfw. Might be a good lesson to mirror back all incoming syn packets from the attacker's IP to him. To port 80, or 22, or to some any other open port. You can do that easely with ipfw. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"