From owner-freebsd-net  Sat Jan 11 17: 7: 2 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 29E2937B401
	for <freebsd-net@FreeBSD.ORG>; Sat, 11 Jan 2003 17:07:01 -0800 (PST)
Received: from out6.mx.nwbl.wi.voyager.net (out6.mx.nwbl.wi.voyager.net [169.207.3.77])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A240D43F5B
	for <freebsd-net@FreeBSD.ORG>; Sat, 11 Jan 2003 17:07:00 -0800 (PST)
	(envelope-from silby@silby.com)
Received: from [10.1.1.6] (d20.as21.nwbl0.wi.voyager.net [169.207.138.148])
	by out6.mx.nwbl.wi.voyager.net (Postfix) with ESMTP
	id B0C89DA8E4; Sat, 11 Jan 2003 19:06:58 -0600 (CST)
Date: Sat, 11 Jan 2003 19:14:30 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: Richard A Steenbergen <ras@e-gerbil.net>,
	"" <freebsd-net@FreeBSD.ORG>
Subject: Re: What is my next step as a script kiddie ? (DDoS)
In-Reply-To: <20030111150725.E78856-100000@mail.econolodgetulsa.com>
Message-ID: <20030111191108.L19841-100000@patrocles.silby.com>
References: <20030111150725.E78856-100000@mail.econolodgetulsa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Sat, 11 Jan 2003, Josh Brooks wrote:

> Thanks for your help - two last questions regarding this:
>
> 1. On a FreeBSD router/firewall, does it take more processing power to
> respond to (and reset) a SYN to a target IP:port that is nonexistent than
> it does to respond to a target IP:port that is in heavy use ?
>
> that is, is there some caching mechanism in use that makes incoming DoS
> packets to _already busy_ IP:ports "cost less" in terms of processor than
> SYN packets to IP:ports that don't exist ?  Just curious.

Handling random packets to unused ports is far easier for the computer to
handle.  By default the first 200 or so are responded to, and the rest are
just ignored.

On the other hand, a SYN flood targetting an active port is another story.
The host must assume that all incoming packets are legitimate, and can't
just throw some away.

You're going to need to do more reading.  Serious attackers are already 5
miles ahead of you.  No, I'm not going to say how, I don't want to give
the script kiddies ideas about FreeBSD's weaknesses. :)

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message