From owner-freebsd-security Fri Dec 1 12:11: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 1F15037B401 for ; Fri, 1 Dec 2000 12:10:57 -0800 (PST) Received: by pluto.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Fri, 1 Dec 2000 12:10:56 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0242D4@goofy.epylon.lan> From: Jason DiCioccio To: 'Umesh Krishnaswamy' , "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Defeating SYN flood attacks Date: Fri, 1 Dec 2000 12:10:55 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C05BD2.D08C5472" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C05BD2.D08C5472 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 3.3.4? is that 3.3 or 3.4? - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Umesh Krishnaswamy [mailto:umesh@juniper.net] Sent: Friday, December 01, 2000 12:10 PM To: David G. Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks "David G. Andersen" wrote: > FreeBSD has been synflood resistant for several years. To a first > order, you cannot effectively synflood a decently provisioned > FreeBSD box and deny service to it UNLESS your "synflood" is really > just a bandwidth consumption attack that eats up all of their > bandwidth. > > There was a problem that cropped up about a year ago where a > *really high volume* syn flood could cause some kernel problems, > but that's fixed in all of the recent 4.x versions. Really high > volume means 10Mbps+. > Cool. That is good to hear. I just verified that the synflood attack does not bring down a 3.3.4 machine. If anybody knows off the top of their head, the kernel source files which have the fixes, it would help. Thx. Umesh. > > -Dave > > Lo and behold, Umesh Krishnaswamy once said: > > > > Hi Folks, > > > > I wanted to double-check which version of FreeBSD (if any) can > > address a SYN flooding DoS attack. The latest FreeBSD sources > > (tcp_input.c and ip_input.c) do not seem to have any code to > > address such an attack. Maybe I am missing something. > > > > So if you folks can enlighten me on whether or how to handle the > > SYN attack from within the kernel, I would appreciate it. I am > > aware of ingress filtering; while that can help attacks from > > randomized IP addresses, it will fail in the case of an attack > > from a spoofed trusted IP address. Hence the desire to look into > > the kernel for a fix. > > > > Thanks. > > Umesh. > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science > http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOigF/FCmU62pemyaEQIS9QCg5BhTO6+ItPtZ9n94WFEoQ6C53UsAn06S atYxY0C/YVeZIbveb4by76/I =GQZm -----END PGP SIGNATURE----- ------_=_NextPart_000_01C05BD2.D08C5472 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C05BD2.D08C5472-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message