From owner-freebsd-security@FreeBSD.ORG Wed May 21 15:11:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 969A637B401 for ; Wed, 21 May 2003 15:11:54 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A46E43F85 for ; Wed, 21 May 2003 15:11:54 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 175421524B; Wed, 21 May 2003 15:08:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 166DC15247 for ; Wed, 21 May 2003 15:08:24 -0700 (PDT) Date: Wed, 21 May 2003 15:08:24 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr> Message-ID: <20030521145102.C33754@fubar.adept.org> References: <20030520095759.GA26095@carpediem.epita.fr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 22:11:54 -0000 > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > > the internet. The servers are being attacked with syn floods and go down > > multiple times a day. >From disparate sources? Start with a sniffer and attempt to understand the nature of your attacker. Is he clever? If not, you may not have to be that clever to defeat him. > > The 7 servers belong to a client, who runs redhat. Suggest grabbing the latest errata via up2date/rhn and ensuring syscookies are enabled per others' suggestions. On Tue, 20 May 2003, jeremie le-hen wrote: > I don't think a firewall can achieve this, even if it has some matching > options like the "limit" match in Netfilter, which permits to specify a > maximum number of times a rule can match in a given period, since if the > SYN-flood is cleverly done (ie. randomly spoofed), other valid connections > attempts will be also limited. Of course there is no single answer... The overall effectiveness, as another pointed out, comes down to bandwidth. No matter how clever you are, if the attacker can maange to use all available bandwidth... they win. If more providers properly filtered on their access devices, spoofing would be much less of an issue. Even with spoofing, attacks often follow a typical "profile". So... There are things a firewall can do... But the place to start is ensuring you understand as much as possible about your attacker and the mode of attack. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!