Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Feb 2004 10:51:08 -0500
From:      "JJB" <Barbish3@adelphia.net>
To:        "Anton Alin-Adrian" <aanton@reversedhell.net>, <freebsd-questions@freebsd.org>
Cc:        freebsd-security@freebsd.org
Subject:   RE: SYN Attacks - how i cant stop it
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEPEFKAA.Barbish3@adelphia.net>
In-Reply-To: <402CECD8.7020906@reversedhell.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
You talk about the net.inet.tcp.syncookies=1 knob,
how about an description on what it does and why you
are recommending using it.

How would one go about mirroring back the attackers
syn packets to port 80 or 22?
Please describe this easy method of yours.

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Anton
Alin-Adrian
Sent: Friday, February 13, 2004 10:27 AM
To: freebsd-questions@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Re: SYN Attacks - how i cant stop it

Most important, you did turn on syncookies, did you not?

FreeBSD is pretty immune to syn floods. As for out of bandwidth,
this
has to do with your uplink and how much you pay for your traffic.

root# sysctl net.inet.tcp.syncookies

If it is not set to one, then do:
root# sysctl net.inet.tcp.syncookies=1

Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1.

A reboot would clear the tcp stack. You can't reboot remotely if
kernel
securelevel is enabled in /etc/rc.conf.

If you don't have firewall support compiled in the kernel, kldload
ipfw.

Might be a good lesson to mirror back all incoming syn packets from
the
attacker's IP to him. To port 80, or 22, or to some any other open
port.
You can do that easely with ipfw.





--
Alin-Adrian Anton
Reversed Hell Networks
GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F
FF2E)
gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEPEFKAA.Barbish3>