From owner-freebsd-questions@FreeBSD.ORG Fri Feb 13 08:32:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85F6916A4CF for ; Fri, 13 Feb 2004 08:32:01 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 71BD243D31 for ; Fri, 13 Feb 2004 08:32:01 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 12022 invoked by uid 98); 13 Feb 2004 16:35:25 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.24286 secs); 13 Feb 2004 16:35:25 -0000 X-Spam-Status: No, hits=0.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.24286 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 13 Feb 2004 16:35:25 -0000 Message-ID: <402CFC4A.7020702@reversedhell.net> Date: Fri, 13 Feb 2004 18:33:14 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 16:32:01 -0000 JJB wrote: > You talk about the net.inet.tcp.syncookies=1 knob, > how about an description on what it does and why you > are recommending using it. The net.inet.tcp.syncookies 'knob', if set to 1, enables syn cookies. Syn cookies were invented specifically for syn flood protection. A brief description of syncookies idea can be read here: http://cr.yp.to/syncookies.html > How would one go about mirroring back the attackers > syn packets to port 80 or 22? > Please describe this easy method of yours. > Mirroring back packets to the attacker is, first of all, a nasty thing. Secondly, it is only possible if the attacker's IP is known. If it is not known, then obviously it's not possible. Knowing the attacker's IP does not necessarly mean that he is performing the current attacks from that IP. Packet redirection with ipfw is done using divert sockets. One needs to have it compiled into the kernel. Divert sockets are also used by ipfw nat redirection. It's all in the man pages of ipfw. If the flood is severly intense (from the point of stack memory exhaution), it might be a good improvement to drop 5% of incoming SYN packets. This can also be done with ipfw, and is described in the manual pages. However, I don't think one would ever come to this. Asking the ISP to put the server behind a decent cisco router, and implement syn cookies on hardware devices, is the best protection. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E