Date: Fri, 5 Sep 2025 00:26:08 +0200 From: "Peter 'PMc' Much" <pmc@citylink.dinoex.sub.org> To: freebsd-net@freebsd.org Subject: Successful syn flooding DoS Message-ID: <aLoSANVhfontVd3e@disp.intra.daemon.contact>
next in thread | raw e-mail | index | archive | help
Folks, today I fell victim to a syn flooding party; one of my machines went offline and needed a full reset to recover. Why: If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK. If there is a portforwarder in the path, then libalias will consider this state of affairs a fully established connection, and preserve the record, for... a day. If somebody send me 100 SYN packets per second, then after a few hour the libalias will have accumulated millions of these records. They go into a tailq. And at that size, the network receiving thread searching through that will run at 100% CPU. That receiving thread is a network interrupt, prio 8, so if the machine is a single vcore KVM, it won't do much else anymore. As a quick measure I have now tried to change libalias to require a bit more data before making the timeout that long. But in the meantime the idiots have stopped their nonsense, so there is no test. Comments, anybody? cheerio, PMc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aLoSANVhfontVd3e>