From owner-freebsd-security@FreeBSD.ORG  Tue May 20 00:34:27 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD3B337B401
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 00:34:27 -0700 (PDT)
Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net
	[66.214.182.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1420143F93
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 00:34:25 -0700 (PDT)
	(envelope-from avleen@silverwraith.com)
Received: from avleen by mail.silverwraith.com with local (Exim 4.14)
	id 19I1dg-000L4f-Ee; Tue, 20 May 2003 00:34:24 -0700
Date: Tue, 20 May 2003 00:34:24 -0700
From: Avleen Vig <lists-freebsd@silverwraith.com>
To: Ryan James <ryan@mac2.net>
Message-ID: <20030520073424.GH49820@silverwraith.com>
References: <BAEF3AC0.9998%ryan@mac2.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BAEF3AC0.9998%ryan@mac2.net>
User-Agent: Mutt/1.5.4i
Sender: Avleen Vig <avleen@silverwraith.com>
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD firewall block syn flood attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2003 07:34:28 -0000

On Tue, May 20, 2003 at 01:52:00AM -0500, Ryan James wrote:
> Hello,
> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.
> 
> The 7 servers belong to a client, who runs redhat.
> I am trying to find a way to do some kind of syn flood protection inside the
> firewall. 

SYN floods are difficult to "protect" against.
In the past, the only way I have been able to deal with them is to block
all communication to the hosts being attacked, and allow communication
again when the attack ends.

The difficulty comes in when the attacker realises that you are
effectively combatting the attack, and then proceeds to increase the
ferocity of the attack until either all of our bandwidth is consumed, or
your network equipment cannot handle the rate of packets coming in.
Best thing to do is just take the hosts off the network. I normally use
packet filter rules to achieve this.