From owner-freebsd-security  Fri Dec  1 11: 7: 6 2000
Delivered-To: freebsd-security@freebsd.org
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by hub.freebsd.org (Postfix) with ESMTP id E50B037B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Dec 2000 11:07:02 -0800 (PST)
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.9.3/8.9.3) id MAA25650;
	Fri, 1 Dec 2000 12:06:45 -0700 (MST)
Message-Id: <200012011906.MAA25650@faith.cs.utah.edu>
Subject: Re: Defeating SYN flood attacks
To: umesh@juniper.net (Umesh Krishnaswamy)
Date: Fri, 1 Dec 2000 12:06:45 -0700 (MST)
Cc: freebsd-security@FreeBSD.ORG, umesh@juniper.net
In-Reply-To: <3A27F625.4C87CC7C@juniper.net> from "Umesh Krishnaswamy" at Dec 01, 2000 11:04:05 AM
From: "David G. Andersen" <dga@pobox.com>
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

FreeBSD has been synflood resistant for several years.  To a first order,
you cannot effectively synflood a decently provisioned FreeBSD box and
deny service to it UNLESS your "synflood" is really just a bandwidth
consumption attack that eats up all of their bandwidth.

There was a problem that cropped up about a year ago where a *really high
volume* syn flood could cause some kernel problems, but that's fixed in
all of the recent 4.x versions.  Really high volume means 10Mbps+.

  -Dave

Lo and behold, Umesh Krishnaswamy once said:
> 
> Hi Folks,
> 
> I wanted to double-check which version of FreeBSD (if any) can address a
> SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and
> ip_input.c) do not seem to have any code to address such an attack. Maybe I am
> missing something.
> 
> So if you folks can enlighten me on whether or how to handle the SYN attack from
> within the kernel, I would appreciate it. I am aware of ingress filtering; while
> that can help attacks from randomized IP addresses, it will fail in the case of
> an attack from a spoofed trusted IP address. Hence the desire to look into the
> kernel for a fix.
> 
> Thanks.
> Umesh.
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message