From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 07:26:13 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBE5D1065692 for ; Mon, 6 Oct 2008 07:26:13 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9A9CA8FC1E for ; Mon, 6 Oct 2008 07:26:13 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA14.emeryville.ca.mail.comcast.net ([76.96.30.60]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id PK8g1a00D1HpZEsA2KSDE1; Mon, 06 Oct 2008 07:26:13 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA14.emeryville.ca.mail.comcast.net with comcast id PKSC1a0012P6wsM8aKSCEm; Mon, 06 Oct 2008 07:26:13 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=8cs9kVabgna1722WGwAA:9 a=g2qGF8xRU5T5y2jY7KMA:7 a=KJx5B_Kxs-o-eHo9Ju3QC0YuU-wA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id EFA18C9419; Mon, 6 Oct 2008 00:26:11 -0700 (PDT) Date: Mon, 6 Oct 2008 00:26:11 -0700 From: Jeremy Chadwick To: Matthew Seaman Message-ID: <20081006072611.GA13147@icarus.home.lan> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48E9BBED.7090607@infracaninophile.co.uk> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Scott Bennett , freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 07:26:13 -0000 On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote: > Jeremy Chadwick wrote: >> On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote: >>> I'm getting a lot of messages like this: >>> >>> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250 to 200 packets/sec >>> >>> Is there some rule I can insert into /etc/pf.conf to reject these apparently >>> invalid RST packets before they can bother TCP? At the same time, I do not >>> want to reject legitimate RST packets. >> >> They're outbound RST packets coming from your box as a result of >> incoming packets someone is sending you (possibly an attack). >> >> Proper firewalling rules should help defeat this, but there is no "magic >> rule" you can place into pf.conf that will stop this. >> >> If you want a "magic solution", see blackhole(4). >> > > block drop all > > looks fairly magical to me. Stick that at the top of your ruleset as > your default policy, add more specific rules beneath it to allow > the traffic you do want to pass, and Robert is your Mother's Brother. > No more floods of RST packets. This is incredibly draconian. :-) I was trying my best to remain realistic. > (Actually, I'd recommend always adding a 'log' clause to any rules that > drop packets like so: 'block log drop all'. Makes running 'tcpdump -i pflog0' > an invaluable debugging aid.) I cannot advocate use of "log" on such "vague" rules, and my attitude is based on experience: We had "log" set on some of our deny rules, specifically on an entry which blocked any traffic to an IP to any ports other than 53 (DNS). Someone initiated an attack against that IP, to a destination port of something other than 53, which caused pflog to go crazy with logging. What inadvertently resulted was a local system DoS -- the system began sporting a load average between 40 and 50, and was sluggish. The root cause? /var/log/pflog was growing at such a tremendous rate that newsyslog (trying to rotate and compress the logs) could not keep up. When I got to it, I found 8 or 9 gzip/newsyslog processes running trying to deal with the chaos. Bottom line: be very, very cautious what rules you use "log" on, and be sure to remove it once the system is in production. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |