Date: 20 May 2003 10:12:18 +0200 From: "G.P. de Boer" <g.p.de.boer@st.hanze.nl> To: Ryan James <ryan@mac2.net> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack Message-ID: <1053418338.552.15.camel@edinburgh> In-Reply-To: <BAEF3AC0.9998%ryan@mac2.net> References: <BAEF3AC0.9998%ryan@mac2.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2003-05-20 at 08:52, Ryan James wrote: > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > I am trying to find a way to do some kind of syn flood protection inside the > firewall. On a few of my systems I have built dummynet pipes to limit the destroying effect of SYN-floods. By limiting incoming SYNs to a few packets per seconds (the systems don't have many legit incoming connection requests per second) I can be sure my boxes will survive the attack. A way to do this is create seperate pipes for every service, so even though the pipe for port 80 is full, the pipe for 25 might still have some room.. Of course, since you're limiting a lot, the DoS is easier: legitimate connections won't succeed either. But.. First, a system going down (crash/swamp/explode) is worse than a system which only doesn't accept connections. Immediately after the DoS-attack stops the servers will be available again. Secondly: most scriptkiddies are pretty stupid. I've seen quite a few SYN-floods to ports where nothing was listening on, and thus were firewalled off. Such attacks are quite pointless, except for the bandwidth-use. This might be the case in your situation (you didn't tell ;). If so: just create a firewall rule blocking all incoming packets for those ports and the dummynet queue won't fill up with bogus traffic. Of course a little tcpdumping might help too. I've had a 1K big packets ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could easily figure out which traffic I wanted to block. Filtering such an attack is easy and doable performance-wise. Hope this helps a bit and good luck! Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1053418338.552.15.camel>