Date: Fri, 5 Sep 2025 12:03:48 +0200 From: Michael Tuexen <michael.tuexen@lurchi.franken.de> To: Peter 'PMc' Much <pmc@citylink.dinoex.sub.org> Cc: freebsd-net@freebsd.org Subject: Re: Successful syn flooding DoS Message-ID: <742A470C-1309-491B-A9F1-98CA402B6176@lurchi.franken.de> In-Reply-To: <aLoSANVhfontVd3e@disp.intra.daemon.contact> References: <aLoSANVhfontVd3e@disp.intra.daemon.contact>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 5. Sep 2025, at 00:26, Peter 'PMc' Much = <pmc@citylink.dinoex.sub.org> wrote: >=20 > Folks, >=20 > today I fell victim to a syn flooding party; one of my machines > went offline and needed a full reset to recover. >=20 > Why: > If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK. > If there is a portforwarder in the path, then libalias will > consider this state of affairs a fully established connection, and > preserve the record, for... a day. >=20 > If somebody send me 100 SYN packets per second, then after a few > hour the libalias will have accumulated millions of these records. > They go into a tailq. And at that size, the network receiving > thread searching through that will run at 100% CPU. >=20 > That receiving thread is a network interrupt, prio 8, so if the > machine is a single vcore KVM, it won't do much else anymore. >=20 > As a quick measure I have now tried to change libalias to require a > bit more data before making the timeout that long. But in the > meantime the idiots have stopped their nonsense, so there is no > test. >=20 > Comments, anybody? That seems to be a problem of libalias. What middlebox setup are you using? Best regards Michael >=20 > cheerio, > PMc >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?742A470C-1309-491B-A9F1-98CA402B6176>