From owner-freebsd-security Fri Dec 1 12: 9:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [207.17.136.137]) by hub.freebsd.org (Postfix) with ESMTP id 93B7A37B400 for ; Fri, 1 Dec 2000 12:09:41 -0800 (PST) Received: from juniper.net (umesh-bsd.juniper.net [172.17.12.70]) by red.juniper.net (8.9.3/8.9.3) with ESMTP id MAA16797; Fri, 1 Dec 2000 12:09:36 -0800 (PST) Message-ID: <3A280580.D63A0F70@juniper.net> Date: Fri, 01 Dec 2000 12:09:36 -0800 From: Umesh Krishnaswamy Organization: Juniper Networks X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks References: <200012011906.MAA25650@faith.cs.utah.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" wrote: > FreeBSD has been synflood resistant for several years. To a first order, > you cannot effectively synflood a decently provisioned FreeBSD box and > deny service to it UNLESS your "synflood" is really just a bandwidth > consumption attack that eats up all of their bandwidth. > > There was a problem that cropped up about a year ago where a *really high > volume* syn flood could cause some kernel problems, but that's fixed in > all of the recent 4.x versions. Really high volume means 10Mbps+. > Cool. That is good to hear. I just verified that the synflood attack does not bring down a 3.3.4 machine. If anybody knows off the top of their head, the kernel source files which have the fixes, it would help. Thx. Umesh. > > -Dave > > Lo and behold, Umesh Krishnaswamy once said: > > > > Hi Folks, > > > > I wanted to double-check which version of FreeBSD (if any) can address a > > SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > > ip_input.c) do not seem to have any code to address such an attack. Maybe I am > > missing something. > > > > So if you folks can enlighten me on whether or how to handle the SYN attack from > > within the kernel, I would appreciate it. I am aware of ingress filtering; while > > that can help attacks from randomized IP addresses, it will fail in the case of > > an attack from a spoofed trusted IP address. Hence the desire to look into the > > kernel for a fix. > > > > Thanks. > > Umesh. > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message