From owner-freebsd-security Tue May 7 23:57:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 720FD37B400 for ; Tue, 7 May 2002 23:57:47 -0700 (PDT) Received: (qmail 41607 invoked by uid 0); 8 May 2002 06:57:47 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.357568 secs); 08 May 2002 06:57:47 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: root@utility.clubscholarship.com,freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.357568 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by 10.1.1.10 with SMTP; 8 May 2002 06:57:46 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 8 May 2002 01:57:46 -0500 Message-ID: <3CD8CC69.47021F06@dolaninformation.com> Date: Wed, 08 May 2002 01:57:45 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Patrick Thomas Cc: freebsd-security@freebsd.org Subject: Re: what does a syncookies attack look like ? References: <20020507214035.B8475-100000@utility.clubscholarship.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Patrick Thomas wrote: > > The reason we suspect it is an attack - or at least an outside influence - > is that the crash/hang occurs at exxactly the same time every day. Of > course the first reaction to that would be "probably a cron job" ... > however we have ruled that out by setting the system time to the time that > it crashes .. at times of the day with analogous (or greater) load than > when it really does crash. When we artificially set the time to the "zero > hour" nothing happens. > > However, when that time comes up in the "real world", the server hangs > like I described. . . . > tcpdump on the machine itself and on the firewall reveals nothing > interesting. Not an interesting level of traffic in terms of transactions > or bandwidth. We're going crazy here trying to figure it out. We are > running the very first 4.5-RELEASE, and we have so far only patched the > included sshd, and done the chmod on the `keylink` file or whatever it waw > that was suid root. Otherwise it is a stock very first release of > 4.5-RELEASE. > > thanks for any suggestions/help, > The answer to your problem it probably related to security advisory: FreeBSD-SA-02:20 "syncache/syncookies denial of service" The full text of the advisory can be found at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A20.syncache.asc All of the security advisories can be found at: http://www.freebsd.org/security/index.html#adv A google search for 'syncookies' or 'synflooding' should turn up some useful information about SYN flooding and the use syncookies as a defense. I found a quick description at: http://www.incidents.org/diary/november01/110801.php "On some operating systems it is possible to configure the kernel to use a SYN flood protection mechanism known as SYNcookies. The idea is that, if the server should detect a SYN flood attack, it can stop keeping state on waiting-to-be- completed three way handshakes, and switch to a challenge-response mechanism for accepting new connections. When in "flood protection mode" the server embeds a cryptographically strong "cookie" in the TCP header of each SYN-ACK it sends. This cookie is a state-keeping mechanism. If a real client is actually engaged on the other end of the connection, the client will automatically return the cookie to the server when responding with the final ACK of the three-way-handshake. Thus, the server can completely forget about the connection after sending the SYN-ACK, because all the state data required to establish the new connection arrives in the final ACK. " Good luck, Greg  To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message