From owner-freebsd-security Fri Dec 1 22:26:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id C827437B400 for ; Fri, 1 Dec 2000 22:26:50 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 1 Dec 2000 22:25:17 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB26QT522939; Fri, 1 Dec 2000 22:26:29 -0800 (PST) (envelope-from cjc) Date: Fri, 1 Dec 2000 22:26:29 -0800 From: "Crist J . Clark" To: Alan Batie Cc: "David G. Andersen" , Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks Message-ID: <20001201222629.L99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A27F625.4C87CC7C@juniper.net> <200012011906.MAA25650@faith.cs.utah.edu> <20001201111340.P45293@agora.rdrop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001201111340.P45293@agora.rdrop.com>; from alan@batie.org on Fri, Dec 01, 2000 at 11:13:40AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 11:13:40AM -0800, Alan Batie wrote: > On Fri, Dec 01, 2000 at 12:06:45PM -0700, David G. Andersen wrote: > > FreeBSD has been synflood resistant for several years. To a first order, > > you cannot effectively synflood a decently provisioned FreeBSD box and > > deny service to it UNLESS your "synflood" is really just a bandwidth > > consumption attack that eats up all of their bandwidth. > > > > There was a problem that cropped up about a year ago where a *really high > > volume* syn flood could cause some kernel problems, but that's fixed in > > all of the recent 4.x versions. Really high volume means 10Mbps+. > > I was just subject to such an attack last weekend; I'm running 4.1-RELEASE > at the moment. The attack was SYNs from a large number of (probably > spoofed, randomly generated) addresses to a sequence of ports. The reason > I noticed it was because the port unreachable icmp messages exceeded the > default icmp bandwidth limit and the console and syslog were filled with > the resulting messages about that. The attack ran from Friday evening > until Monday morning. I'm not sure if it's related, but it's suspicious, > that the system under attack crashed (wedged) Sunday morning. You are not describing a SYN attack. A SYN attack does not produce ICMP port unreachables. A SYN attack is focused on _open_ _TCP_ ports. Port unreachables are produced by _closed_ _UDP_ ports. And if you hit a closed TCP port with a SYN, you get a TCP RST, not a ICMP message. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message