From owner-freebsd-questions  Mon Mar 15 10:12:38 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1])
	by hub.freebsd.org (Postfix) with ESMTP id A5DF815346
	for <questions@FreeBSD.ORG>; Mon, 15 Mar 1999 10:10:16 -0800 (PST)
	(envelope-from ru@ucb.crimea.ua)
Received: (from ru@localhost)
	by relay.ucb.crimea.ua (8.9.2/8.9.2/UCB) id UAA06705;
	Mon, 15 Mar 1999 20:03:35 +0200 (EET)
	(envelope-from ru)
Date: Mon, 15 Mar 1999 20:03:33 +0200
From: Ruslan Ermilov <ru@ucb.crimea.ua>
To: The Tech-Admin Dude <geniusj@phoenix.unacom.com>
Cc: questions@FreeBSD.ORG
Subject: Re: SYN attacks
Message-ID: <19990315200333.A6656@relay.ucb.crimea.ua>
Mail-Followup-To: The Tech-Admin Dude <geniusj@phoenix.unacom.com>,
	questions@FreeBSD.ORG
References: <19990315194148.A841@relay.ucb.crimea.ua> <Pine.BSF.4.10.9903151249070.29767-100000@phoenix.unacom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.3i
In-Reply-To: <Pine.BSF.4.10.9903151249070.29767-100000@phoenix.unacom.com>; from The Tech-Admin Dude on Mon, Mar 15, 1999 at 12:49:56PM -0500
X-Operating-System: FreeBSD 3.1-STABLE i386
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Mar 15, 1999 at 12:49:56PM -0500, The Tech-Admin Dude wrote:
[27 lines deleted]
> > > 	That looks to be (and as I understood it) for limitting bandwidth
> > > going through a certain device, I dont want to llimit overall bandwidth of
> > > the system, the SYN attacks dont actually take much bandwidth, but they do
> > > take a big chunk of system resources and dont allow anyone else to login
> > > while they are going on..
> > 
> > No, you can limit only packets with SYN bit set.
> > 
> > For example,
> > 
> > ipfw pipe 1 config bw 1Kbit/s
> > ipfw add pipe 1 tcp from any to <your_host> setup via <external_interface>
                                                      ^^^^^^^^^^^^^^^^^^^^^^^^

> 
> 	Ah ha! :).. One more thing though, if I limit SYN to 1 kbit or 10
> kbit, the SYN would prolly use about that much so would other users still
> have room to connect to the server with him using up all the bandwidth
> designated for SYN packets?
> 
See ^^^s above.

-- 
Ruslan Ermilov		Sysadmin and DBA of the
ru@ucb.crimea.ua	United Commercial Bank
+380.652.247.647	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message