From nobody Thu Sep 4 22:26:08 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cHvHS0T8vz66cWQ for ; Thu, 04 Sep 2025 22:27:32 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "uucp.dinoex.sub.de", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cHvHQ2lgSz3vtY for ; Thu, 04 Sep 2025 22:27:30 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pmc@citylink.dinoex.sub.org designates 2a0b:f840::12 as permitted sender) smtp.mailfrom=pmc@citylink.dinoex.sub.org; arc=pass ("uucp.dinoex.org:s=M20221114:i=1") Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840:0:0:0:0:0:12]) by uucp.dinoex.org (8.18.1/8.18.1) with ESMTPS id 584MR6xK016168 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Fri, 5 Sep 2025 00:27:07 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) ARC-Seal: i=1; a=rsa-sha256; d=uucp.dinoex.org; s=M20221114; t=1757024829; cv=none; b=S3h9fxjGn8FfaQn9vK1diaYRhW/pAXkeC8fgVCtcuBYsr11KmENitvH0XjK9AIDgB5HYQ+AlBIbZtBkjf9c4hAkD+EMqSL0EDc1zaG1a/5nTKe4e2czQcZeKOMFncY637YiHDuBXMpVpy9Jr9/UANF6TUOl0/pTDEdIDFvt5npI= ARC-Message-Signature: i=1; a=rsa-sha256; d=uucp.dinoex.org; s=M20221114; t=1757024829; c=relaxed/simple; bh=dzWjEhLgS8YDOIgUOlGBPhMXps+dmBodzing3BY15l0=; h=Received:Received:Received:Received:X-Authentication-Warning:Date: From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition:X-Milter:X-Greylist; b=EByysoSRSrGlNdMmiQbEKpVyJ134YLJengXryyaY3ftnS/ZAHokMAnwm8aDQajF6NwNOoA7Q9qAe5/RBZpupCYxg1yC4yoDy1JYa3b06UIXgkeunVd/bvaHzDcV1IRrhw87Y7qRrejC+6g+YsD0qMKt1B7ZOml6ieSjm0lLrvtM= ARC-Authentication-Results: i=1; uucp.dinoex.org X-MDaemon-Deliver-To: Received: (from uucp@localhost) by uucp.dinoex.org (8.18.1/8.18.1/Submit) with UUCP id 584MR6MR016167 for freebsd-net@freebsd.org; Fri, 5 Sep 2025 00:27:06 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from disp.intra.daemon.contact (disp-e.intra.daemon.contact [IPv6:fd00:0:0:0:0:0:0:112]) by admn.intra.daemon.contact (8.18.1/8.18.1) with ESMTPS id 584MQnHl045532 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK) for ; Fri, 5 Sep 2025 00:26:49 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from disp.intra.daemon.contact (localhost [127.0.0.1]) by disp.intra.daemon.contact (8.18.1/8.18.1) with ESMTPS id 584MQ8R6026575 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Fri, 5 Sep 2025 00:26:09 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: (from pmc@localhost) by disp.intra.daemon.contact (8.18.1/8.18.1/Submit) id 584MQ84I026574 for freebsd-net@freebsd.org; Fri, 5 Sep 2025 00:26:08 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) X-Authentication-Warning: disp.intra.daemon.contact: pmc set sender to pmc@citylink.dinoex.sub.org using -f Date: Fri, 5 Sep 2025 00:26:08 +0200 From: "Peter 'PMc' Much" To: freebsd-net@freebsd.org Subject: Successful syn flooding DoS Message-ID: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Milter: Spamilter (Reciever: uucp.dinoex.org; Sender-ip: 0:0:2a0b:f840::; Sender-helo: uucp.dinoex.org;) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (uucp.dinoex.org [IPv6:2a0b:f840:0:0:0:0:0:12]); Fri, 05 Sep 2025 00:27:09 +0200 (CEST) X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.91 / 15.00]; ARC_ALLOW(-1.00)[uucp.dinoex.org:s=M20221114:i=1]; NEURAL_HAM_LONG(-1.00)[-0.996]; NEURAL_HAM_SHORT(-0.95)[-0.955]; NEURAL_SPAM_MEDIUM(0.34)[0.339]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sub.org]; ASN(0.00)[asn:205376, ipnet:2a0b:f840::/32, country:DE]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[] X-Rspamd-Queue-Id: 4cHvHQ2lgSz3vtY Folks, today I fell victim to a syn flooding party; one of my machines went offline and needed a full reset to recover. Why: If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK. If there is a portforwarder in the path, then libalias will consider this state of affairs a fully established connection, and preserve the record, for... a day. If somebody send me 100 SYN packets per second, then after a few hour the libalias will have accumulated millions of these records. They go into a tailq. And at that size, the network receiving thread searching through that will run at 100% CPU. That receiving thread is a network interrupt, prio 8, so if the machine is a single vcore KVM, it won't do much else anymore. As a quick measure I have now tried to change libalias to require a bit more data before making the timeout that long. But in the meantime the idiots have stopped their nonsense, so there is no test. Comments, anybody? cheerio, PMc