Date: Fri, 5 Sep 2025 12:03:48 +0200 From: Michael Tuexen <michael.tuexen@lurchi.franken.de> To: Peter 'PMc' Much <pmc@citylink.dinoex.sub.org> Cc: freebsd-net@freebsd.org Subject: Re: Successful syn flooding DoS Message-ID: <742A470C-1309-491B-A9F1-98CA402B6176@lurchi.franken.de> In-Reply-To: <aLoSANVhfontVd3e@disp.intra.daemon.contact> References: <aLoSANVhfontVd3e@disp.intra.daemon.contact>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 5. Sep 2025, at 00:26, Peter 'PMc' Much <pmc@citylink.dinoex.sub.org> wrote: > > Folks, > > today I fell victim to a syn flooding party; one of my machines > went offline and needed a full reset to recover. > > Why: > If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK. > If there is a portforwarder in the path, then libalias will > consider this state of affairs a fully established connection, and > preserve the record, for... a day. > > If somebody send me 100 SYN packets per second, then after a few > hour the libalias will have accumulated millions of these records. > They go into a tailq. And at that size, the network receiving > thread searching through that will run at 100% CPU. > > That receiving thread is a network interrupt, prio 8, so if the > machine is a single vcore KVM, it won't do much else anymore. > > As a quick measure I have now tried to change libalias to require a > bit more data before making the timeout that long. But in the > meantime the idiots have stopped their nonsense, so there is no > test. > > Comments, anybody? That seems to be a problem of libalias. What middlebox setup are you using? Best regards Michael > > cheerio, > PMc >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?742A470C-1309-491B-A9F1-98CA402B6176>