From owner-freebsd-security  Fri Dec  1 11:13:43 2000
Delivered-To: freebsd-security@freebsd.org
Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241])
	by hub.freebsd.org (Postfix) with ESMTP id 0E29B37B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Dec 2000 11:13:40 -0800 (PST)
Received: (from alan@localhost)
	by agora.rdrop.com (8.11.1/8.11.1) id eB1JDeW49581;
	Fri, 1 Dec 2000 11:13:40 -0800 (PST)
Date: Fri, 1 Dec 2000 11:13:40 -0800
From: Alan Batie <alan@batie.org>
To: "David G. Andersen" <dga@pobox.com>
Cc: Umesh Krishnaswamy <umesh@juniper.net>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Defeating SYN flood attacks
Message-ID: <20001201111340.P45293@agora.rdrop.com>
Mail-Followup-To: "David G. Andersen" <dga@pobox.com>,
	Umesh Krishnaswamy <umesh@juniper.net>,
	freebsd-security@FreeBSD.ORG
References: <3A27F625.4C87CC7C@juniper.net> <200012011906.MAA25650@faith.cs.utah.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200012011906.MAA25650@faith.cs.utah.edu>; from dga@pobox.com on Fri, Dec 01, 2000 at 12:06:45PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Dec 01, 2000 at 12:06:45PM -0700, David G. Andersen wrote:
> FreeBSD has been synflood resistant for several years.  To a first order,
> you cannot effectively synflood a decently provisioned FreeBSD box and
> deny service to it UNLESS your "synflood" is really just a bandwidth
> consumption attack that eats up all of their bandwidth.
> 
> There was a problem that cropped up about a year ago where a *really high
> volume* syn flood could cause some kernel problems, but that's fixed in
> all of the recent 4.x versions.  Really high volume means 10Mbps+.

I was just subject to such an attack last weekend; I'm running 4.1-RELEASE
at the moment.  The attack was SYNs from a large number of (probably
spoofed, randomly generated) addresses to a sequence of ports.  The reason
I noticed it was because the port unreachable icmp messages exceeded the
default icmp bandwidth limit and the console and syslog were filled with
the resulting messages about that.  The attack ran from Friday evening
until Monday morning.  I'm not sure if it's related, but it's suspicious,
that the system under attack crashed (wedged) Sunday morning.

FWIW

-- 
Alan Batie                   ______    www.rdrop.com/users/alan      Me
alan@batie.org               \    /    www.qrd.org         The Triangle
PGPFP DE 3C 29 17 C0 49 7A    \  /     www.pgpi.com   The Weird Numbers
27 40 A5 3C 37 4A DA 52 B9     \/      www.anti-spam.net       NO SPAM!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message