Date: Mon, 26 Jul 2021 14:36:32 +0100 From: Arthur Chance <freebsd@qeng-ho.org> To: Norman Gray <gray@nxg.name>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Detecting or mitigating syn-flood attacks Message-ID: <e31a8442-b645-7e4a-5cec-49e12b8ab017@qeng-ho.org> In-Reply-To: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name> References: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26/07/2021 13:59, Norman Gray wrote: > > Greetings. > > Can anyone point me towards best-practice guidance on detecting and > mitigating syn-flood attacks, with a focus on FreeBSD? > > We run a login server, providing ssh access to our users, from the open > internet. It's running in a jail on a FreeBSD machine. This machine > (both jail and host) has recently become unresponsive on occasion, even > to the extent of it being impossible to log in on the console (the > password prompt never appears). Nothing in the logs. We _think_ we are > (or have been) victim to a syn-flood attack, but mostly on the grounds > of having ruled out most plausible alternatives: we're struggling to > find positive confirmation of this. > > So I have two related questions: > > 1. What should we be looking at, to confirm or refute this hypothesis? > And, supposing that the attack has stopped when we're looking, what > should we be monitoring to detect such a thing if it comes back? This is theoretical, I have no personal experience, but you might want to look at the net.inet.tcp.syncache MIB tree. sysctl -d net.inet.tcp.syncache for quick descriptions. net.inet.tcp.syncache.count would seem to be the first thing to watch, and tweaking net.inet.tcp.syncache.cachelimit or net.inet.tcp.syncookies_only might help, but I'd wait until someone more knowledgable than me chips in. > 2. Is there a best practice document that we should be working through? > The machine is in a jail, with firewall rules which are, I _think_, as > restrictive as is compatible with the service's purpose of having port > 22 open to the internet. > > A few extra observations: > > I thought I'd be able to find all sorts of information and guidance on > this, but my google-fu seems lacking. > > Regarding the sshd configuration, > <https://docs.freebsd.org/en/books/handbook/security/#openssh>; makes a > few points, which we're already observing. The machine's sshd_config is > pretty restrictive: I'm reasonably comfortable I understand the > important parts of the sshd configuration, but there's always more to > learn. In any case, my own uncertainty is more with the pf > configuration than the sshd one. > > I see for example > <https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-attack-nginx-go-offline.23912/>, > but that's rather terse, and now 10 years old. > > There are of course various 'top 20 ssh best practices !1!!' documents > here and there, but their recommendations, while not necessarily wrong, > tend to be rather voodoo, which doesn't make me trust them much. > > I'm comfortable with basic pf configuration, but I haven't so far had to > venture very far off-shore. I'm reluctant to type in firewall rules I > don't understand (*cough*). > > I'm also using blacklistd on the jail host, with all its eccentricities -- Nothing teaches one not to try to stamp out burning thermite quite like real-life experience. — James Davis Nicoll
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e31a8442-b645-7e4a-5cec-49e12b8ab017>