Date: Mon, 11 Aug 2008 18:21:15 +0300 From: Stefan Lambrev <stefan.lambrev@moneybookers.com> To: Tom Huppi <tomh@huppi.com> Cc: freebsd-pf@freebsd.org Subject: Re: syn flood, tcpdump readings Message-ID: <48A058EB.3010308@moneybookers.com> In-Reply-To: <20080807180054.GE10818@huppi.com> References: <20080807101825.GC10818@huppi.com> <20080807173225.GA17926@verio.net> <20080807180054.GE10818@huppi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Huppi wrote:
> On 12:32 Thu 07 Aug , David DeSimone wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Tom Huppi <tomh@huppi.com> wrote:
>>
>>> Anyway, I am getting what I believe to be syn floods
>>> periodically. They dwarf my production traffic and sometimes
>>> get close to producing as much bandwith as we are paying for. A
>>> representative sample looks like so when viewed with tcpdump on
>>> my outward interface ('em1'):
>>>
>>> 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384
>>> 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384
>>>
>> Since you went to the trouble of obscuring the source IP, I presume that
>> the source IP is your IP. So, these look like responses, i.e. outbound
>> traffic, not inbound, since they are sourced from your IP. You can use
>> tcpdump's -e flag to be sure who is sending and who is receiving.
>>
>
>
> I obscured my own IP range which is the 74.nnn.nnn. one and it
> is a /24. Interestingly most of the IP's on my side are ones
> where I have no host.
>
> The reason why is that I figured that if I myself were a
> semi-sophisticated cracker, I would look for targets of
> opertunity on the various mailing lists where one could identify
> both networks administered by newbie/part-time personel, and
> often a fair amount about the configuration of said :)
>
> The IP '125.21.176.19' is exactly as it appeared on my tcpdump.
> It shows as a telcom company in India in this case...usually
> it's some network company or another in China.
>
> My network looks like so:
>
> ------------- em0 <---> internal range
> Network Provider <----> em1 | pf firewall |
> (Internap) ------------- bce1 <---> dmz range
>
>
> I took the tcpdump output to indicate that Syn packets showing an Indian Origin were showing up addressed to (mainly non-existant) IP addresses within my /24 network.
>
> I'll look at 'tcpdump -e'. Thanks for the hint!
>
If the syn flood comes from single IP you can just block traffic from it.
For every SYN packet you are sending SYN-ACK packet so yes the traffic
is in both ways.
Why you do not see it on tcpdump I duno.
In all cases you want to limit the max number of states that can be
created by a single source IP
and you want to limit the rate of new connections over a time interval.
- max-src-states
- max-src-conn-rate
Anyway if the incoming traffic "floods" your pipe this will not help,
but at least your firewall will work properly ;)
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48A058EB.3010308>