Date: Fri, 1 Dec 2000 22:26:29 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Alan Batie <alan@batie.org> Cc: "David G. Andersen" <dga@pobox.com>, Umesh Krishnaswamy <umesh@juniper.net>, freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks Message-ID: <20001201222629.L99903@149.211.6.64.reflexcom.com> In-Reply-To: <20001201111340.P45293@agora.rdrop.com>; from alan@batie.org on Fri, Dec 01, 2000 at 11:13:40AM -0800 References: <3A27F625.4C87CC7C@juniper.net> <200012011906.MAA25650@faith.cs.utah.edu> <20001201111340.P45293@agora.rdrop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 01, 2000 at 11:13:40AM -0800, Alan Batie wrote: > On Fri, Dec 01, 2000 at 12:06:45PM -0700, David G. Andersen wrote: > > FreeBSD has been synflood resistant for several years. To a first order, > > you cannot effectively synflood a decently provisioned FreeBSD box and > > deny service to it UNLESS your "synflood" is really just a bandwidth > > consumption attack that eats up all of their bandwidth. > > > > There was a problem that cropped up about a year ago where a *really high > > volume* syn flood could cause some kernel problems, but that's fixed in > > all of the recent 4.x versions. Really high volume means 10Mbps+. > > I was just subject to such an attack last weekend; I'm running 4.1-RELEASE > at the moment. The attack was SYNs from a large number of (probably > spoofed, randomly generated) addresses to a sequence of ports. The reason > I noticed it was because the port unreachable icmp messages exceeded the > default icmp bandwidth limit and the console and syslog were filled with > the resulting messages about that. The attack ran from Friday evening > until Monday morning. I'm not sure if it's related, but it's suspicious, > that the system under attack crashed (wedged) Sunday morning. You are not describing a SYN attack. A SYN attack does not produce ICMP port unreachables. A SYN attack is focused on _open_ _TCP_ ports. Port unreachables are produced by _closed_ _UDP_ ports. And if you hit a closed TCP port with a SYN, you get a TCP RST, not a ICMP message. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201222629.L99903>