From owner-freebsd-security@FreeBSD.ORG Tue May 20 01:11:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C87737B401 for ; Tue, 20 May 2003 01:11:39 -0700 (PDT) Received: from thedarkside.nl (cc31301-c.assen1.dr.home.nl [212.120.68.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AA1A43FBF for ; Tue, 20 May 2003 01:11:37 -0700 (PDT) (envelope-from g.p.de.boer@st.hanze.nl) Received: from edinburgh (edinburgh [10.0.0.3]) by thedarkside.nl (8.12.8p1/8.12.8) with ESMTP id h4K8BYXY061922; Tue, 20 May 2003 10:11:34 +0200 (CEST) (envelope-from g.p.de.boer@st.hanze.nl) From: "G.P. de Boer" To: Ryan James In-Reply-To: References: Content-Type: text/plain Organization: Message-Id: <1053418338.552.15.camel@edinburgh> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1 Date: 20 May 2003 10:12:18 +0200 Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 08:11:39 -0000 On Tue, 2003-05-20 at 08:52, Ryan James wrote: > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > I am trying to find a way to do some kind of syn flood protection inside the > firewall. On a few of my systems I have built dummynet pipes to limit the destroying effect of SYN-floods. By limiting incoming SYNs to a few packets per seconds (the systems don't have many legit incoming connection requests per second) I can be sure my boxes will survive the attack. A way to do this is create seperate pipes for every service, so even though the pipe for port 80 is full, the pipe for 25 might still have some room.. Of course, since you're limiting a lot, the DoS is easier: legitimate connections won't succeed either. But.. First, a system going down (crash/swamp/explode) is worse than a system which only doesn't accept connections. Immediately after the DoS-attack stops the servers will be available again. Secondly: most scriptkiddies are pretty stupid. I've seen quite a few SYN-floods to ports where nothing was listening on, and thus were firewalled off. Such attacks are quite pointless, except for the bandwidth-use. This might be the case in your situation (you didn't tell ;). If so: just create a firewall rule blocking all incoming packets for those ports and the dummynet queue won't fill up with bogus traffic. Of course a little tcpdumping might help too. I've had a 1K big packets ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could easily figure out which traffic I wanted to block. Filtering such an attack is easy and doable performance-wise. Hope this helps a bit and good luck! Pieter