From owner-freebsd-current  Fri Oct 29 12:16:45 1999
Delivered-To: freebsd-current@freebsd.org
Received: from kougars.kish.cc.il.us (kougars.kish.cc.il.us [131.156.65.2])
	by hub.freebsd.org (Postfix) with ESMTP id 97A8614FFF
	for <freebsd-current@freebsd.org>; Fri, 29 Oct 1999 12:16:40 -0700 (PDT)
	(envelope-from mab@kougars.kish.cc.il.us)
Received: from localhost (mab@localhost)
	by kougars.kish.cc.il.us (8.9.3/8.9.3) with ESMTP id OAA06348
	for <freebsd-current@freebsd.org>; Fri, 29 Oct 1999 14:16:50 -0500 (CDT)
Date: Fri, 29 Oct 1999 14:16:50 -0500 (CDT)
From: Mike Bush <mab@kougars.kish.cc.il.us>
To: freebsd-current@freebsd.org
Subject: SYN Flood/DoS/PPP/ipfw
Message-ID: <Pine.GHP.4.10.9910291346050.25307-100000@kougars.kish.cc.il.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

The other day my machine was attacked with, what i believe is, a SYN
flood. tcpdump gave me this output (1.1.1.1 is me and 2.2.2.2 is him)

20:57:05.828276 2.2.2.2.4064 > 1.1.1.1.33948: S
1409055765:14090557
65(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
20:57:05.836343 2.2.2.2.4065 > 1.1.1.1.14060: S
1409337177:14093371
77(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
20:57:05.877668 2.2.2.2.4066 > 1.1.1.1.24418: S
1402287967:14022879
67(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
20:57:05.878095 2.2.2.2.4067 > 1.1.1.1.63768: S
1395991751:13959917
51(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
...

Anyways, this attack lasted for about 40 minutes and I had a firewall
('ipfw show' said the packets were being denied). After about 30 minutes
my system began swapping. I looked around and found ppp (what i used to
connect with via tun0) was now taking up 47MB of RAM and was still 
growing. The attack didnt really effect the system load until it started
swapping.. and then it was minimal.

So my question is.. Is this a problem with my firewall rules or a problem
in ppp? (I run ppp with -alias) I was always under the impression that if
you deny the SYN's where you can (or where they shouldnt be) then they
cant cause a problem. I guess this is wrong.

My system:
CPU: pII 266
RAM: 64MB
SWAP: 115MB
OS: FreeBSD-current 4.0 (Oct 20, 1999)

FreeBSD fan
Mike



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message