From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 08:35:12 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEDD31065677; Mon, 6 Oct 2008 08:35:12 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 384058FC08; Mon, 6 Oct 2008 08:35:12 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m968YqCU088827; Mon, 6 Oct 2008 09:34:53 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m968YqCU088827 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1223282093; bh=l/TDT4UlcNwMf9 Wrjzuok41rSmld5BhzMhxeJ1iR3tA=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48E9CDA6.80508@infracaninophile.co.uk>|Date:=20Mon,=200 6=20Oct=202008=2009:34:46=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-A gent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201.0 |To:=20Jeremy=20Chadwick=20|CC:=20Scott=20Benne tt=20,=20freebsd-questions@FreeBSD.org|Subject: =20Re:=20pf=20vs.=20RST=20attack=20question|References:=20<20081005 1753.m95Hr3N5014872@mp.cs.niu.edu>=20<20081006003601.GA5733@icarus. home.lan>=20<48E9BBED.7090607@infracaninophile.co.uk>=20<2008100607 2611.GA13147@icarus.home.lan>|In-Reply-To:=20<20081006072611.GA1314 7@icarus.home.lan>|X-Enigmail-Version:=200.95.6|Content-Type:=20mul tipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"appli cation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enigDB0E46 02F230BC04BCB244D9"; b=lOLmZsPa+GIdjXu2YuTo8NFAT4I/g3ogDfShmGb4KOHE YBgcjsEbCG5BAYo9dq4pgi/j94R9prNeP73DMxz37cqdouck0q/sDD/3aO7M38srZ+t J0CHzJfgEqCv588Wy6kQjLx2f2GzAcA/SYUpwwvC4+B4SszzfVbaNRWk7YCg= Message-ID: <48E9CDA6.80508@infracaninophile.co.uk> Date: Mon, 06 Oct 2008 09:34:46 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: Jeremy Chadwick References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> In-Reply-To: <20081006072611.GA13147@icarus.home.lan> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigDB0E4602F230BC04BCB244D9" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 06 Oct 2008 09:34:53 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8377/Mon Oct 6 02:36:23 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: Scott Bennett , freebsd-questions@FreeBSD.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 08:35:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDB0E4602F230BC04BCB244D9 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jeremy Chadwick wrote: > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote: >> Jeremy Chadwick wrote: >>> If you want a "magic solution", see blackhole(4). >>> >> block drop all >> >> looks fairly magical to me. Stick that at the top of your ruleset as >> your default policy, add more specific rules beneath it to allow >> the traffic you do want to pass, and Robert is your Mother's Brother. >> No more floods of RST packets. >=20 > This is incredibly draconian. :-) I was trying my best to remain > realistic. It's no such thing. This is the recommended standard practice when desig= ning firewalls: always start from the premise that all traffic will be dropped= by default and add specific exceptions to allow the traffic you want. Tryin= g to work the other way round is a recipe for disaster: 'allow everything, but= block what is then shown to be deleterious' means that you're always playing ca= tch-up as changes on your servers expose new attack vectors and as attackers dis= cover and try to exploit those holes. Not recommended, unless you actually /li= ke/ being paged in the wee small hours. >> (Actually, I'd recommend always adding a 'log' clause to any rules tha= t >> drop packets like so: 'block log drop all'. Makes running 'tcpdump -i= pflog0' >> an invaluable debugging aid.) >=20 > I cannot advocate use of "log" on such "vague" rules, and my attitude i= s > based on experience: >=20 > We had "log" set on some of our deny rules, specifically on an entry > which blocked any traffic to an IP to any ports other than 53 (DNS). > Someone initiated an attack against that IP, to a destination port of > something other than 53, which caused pflog to go crazy with logging. >=20 > What inadvertently resulted was a local system DoS -- the system began > sporting a load average between 40 and 50, and was sluggish. >=20 > The root cause? /var/log/pflog was growing at such a tremendous rate > that newsyslog (trying to rotate and compress the logs) could not keep > up. When I got to it, I found 8 or 9 gzip/newsyslog processes running > trying to deal with the chaos. >=20 > Bottom line: be very, very cautious what rules you use "log" on, and be= > sure to remove it once the system is in production. >=20 You have a point here, I will certainly admit that. In my experience, I'= ve not yet run into that scenario. I've tended to see systems more easily DoSed= by running out of pf states due to excessive DoS traffic to allowed ports th= an to any extra load from pflogd and newsyslog from logging denied traffic. Th= e machines in question already log so much legitimate traffic from Squid an= d Apache that pflog is trivial by comparison. Of course, now I've said 'it never = happens' I'm expecting half our firewalls to explode any minute now... Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigDB0E4602F230BC04BCB244D9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjpzawACgkQ8Mjk52CukIymuACeOnFlYEUv3WQMa0ivVfp85YNf O2QAn2P7+FJryS55FH2Fm+kgoHY0EPYJ =SuAZ -----END PGP SIGNATURE----- --------------enigDB0E4602F230BC04BCB244D9--