Date: Fri, 29 Oct 1999 14:16:50 -0500 (CDT) From: Mike Bush <mab@kougars.kish.cc.il.us> To: freebsd-current@freebsd.org Subject: SYN Flood/DoS/PPP/ipfw Message-ID: <Pine.GHP.4.10.9910291346050.25307-100000@kougars.kish.cc.il.us>
next in thread | raw e-mail | index | archive | help
The other day my machine was attacked with, what i believe is, a SYN
flood. tcpdump gave me this output (1.1.1.1 is me and 2.2.2.2 is him)
20:57:05.828276 2.2.2.2.4064 > 1.1.1.1.33948: S
1409055765:14090557
65(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
20:57:05.836343 2.2.2.2.4065 > 1.1.1.1.14060: S
1409337177:14093371
77(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
20:57:05.877668 2.2.2.2.4066 > 1.1.1.1.24418: S
1402287967:14022879
67(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
20:57:05.878095 2.2.2.2.4067 > 1.1.1.1.63768: S
1395991751:13959917
51(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
...
Anyways, this attack lasted for about 40 minutes and I had a firewall
('ipfw show' said the packets were being denied). After about 30 minutes
my system began swapping. I looked around and found ppp (what i used to
connect with via tun0) was now taking up 47MB of RAM and was still
growing. The attack didnt really effect the system load until it started
swapping.. and then it was minimal.
So my question is.. Is this a problem with my firewall rules or a problem
in ppp? (I run ppp with -alias) I was always under the impression that if
you deny the SYN's where you can (or where they shouldnt be) then they
cant cause a problem. I guess this is wrong.
My system:
CPU: pII 266
RAM: 64MB
SWAP: 115MB
OS: FreeBSD-current 4.0 (Oct 20, 1999)
FreeBSD fan
Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GHP.4.10.9910291346050.25307-100000>