Date: Sat, 2 Dec 2000 01:25:56 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: cjclark@alum.mit.edu Cc: Alan Batie <alan@batie.org>, "David G. Andersen" <dga@pobox.com>, Umesh Krishnaswamy <umesh@juniper.net>, freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks Message-ID: <Pine.BSF.4.21.0012020120460.4048-100000@achilles.silby.com> In-Reply-To: <20001201222629.L99903@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Dec 2000, Crist J . Clark wrote: > On Fri, Dec 01, 2000 at 11:13:40AM -0800, Alan Batie wrote: > > I was just subject to such an attack last weekend; I'm running 4.1-RELEASE > > at the moment. The attack was SYNs from a large number of (probably > > spoofed, randomly generated) addresses to a sequence of ports. The reason > > I noticed it was because the port unreachable icmp messages exceeded the > > default icmp bandwidth limit and the console and syslog were filled with > > the resulting messages about that. The attack ran from Friday evening > > until Monday morning. I'm not sure if it's related, but it's suspicious, > > that the system under attack crashed (wedged) Sunday morning. > > You are not describing a SYN attack. A SYN attack does not produce > ICMP port unreachables. A SYN attack is focused on _open_ _TCP_ > ports. Port unreachables are produced by _closed_ _UDP_ ports. And if > you hit a closed TCP port with a SYN, you get a TCP RST, not a ICMP > message. > -- > Crist J. Clark cjclark@alum.mit.edu Once again, you're both right. The current code says "icmp unreachable" whether it's actually a RST or a true icmp message sent. I'll be creating a PR with a patch that fixes the error in reporting tomorrow. I need to find a better way to test and do a bit more research, but I suspect at the moment that the purpose synflooding unopen ports serves is not to deny service to the port, but rather to eat bandwidth and bloat the route table. If so, the bloated route table may explain why the box wedged. (Why someone wouldn't spend their stolen bandwidth on an open port is beyond me, though.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012020120460.4048-100000>