Date: Fri, 13 Feb 2004 22:35:20 +0800 From: "Spades" <spades@galaxynet.org> To: <freebsd-questions@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it Message-ID: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc>
next in thread | raw e-mail | index | archive | help
Hi, I got this error when i tried to type for some of those. "sysctl: unknown oid...." any idea.. my server seems to be very lagged, where else the network connection seems fine, i think BSD itself as my other redhat box is fine. What else can i do to get optimum protection. Thanks. ----- Original Message ----- From: "Per Engelbrecht" <per@xterm.dk> To: <jhernandez@progrexive.com> Cc: <freebsd-security@freebsd.org> Sent: Saturday, February 07, 2004 5:58 PM Subject: Re: SYN Attacks - how i cant stop it > Hi, > > <snip> > > all nights. Check this. > > > > Feb 6 11:54:24 TCP: port scan detected [port 6667] from > > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...] > > Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - > <snip> > > > It's hard to get rid of shit-heads like this - I'm talking about the > person doing this attac, that is. > You send a looong output of a log, but no info on your system or any > adjustments you have made (or not made) on your system i.e. kernel > (options), sysctl (tweaks) and ipfw (rules). > If the problem is out-of-bandwith (and your system already has been > optimized) then the only real solution is more 'pipe' a.k.a the > Microsoft-solution. > So fare I've only been guessing, but here is what I normally do with my > setup. I'm not telling you that this is the solution! just adwises! > > Kernel; > options SC_DISABLE_REBOOT > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPDIVERT > options IPFILTER > options IPFILTER_LOG > options IPSTEALTH (don't touch the ttl/can't see the wall) > options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) > options RANDOM_IP_ID (hard to do calculate ip frekv. number) > options DUMMYNET (e.g. 40% for web, 30% for mail and so on) > options DEVICE_POLLING (can't do this short and not with SMP) > options HZ=1000 (can't do this short and not with SMP) > > Sysctl; > kern.ipc.somaxconn=1024 #this is set high! > kern.ipc.nmbclusters=65536 #this is set high! > kern.polling.enable=1 #remember kernel options > kern.polling.user_frac=50>90 #remember kernel options > net.xorp.polling=1 > net.xorp.poll_burst=10 > net.xorp.poll_in_trap=3 > (if you use dynamic rules in ipfw [stateful] you can tweak this) > net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection > net.inet.ip.fw.dyn_syn_lifetime=20 > net.inet.ip.fw.dyn_fin_lifetime=20 > net.inet.ip.fw.dyn_rst_lifetime=5 > net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp > net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules > net.inet.ip.fw.dyn_count: #count of number of dynamic rules > > ipfw; > There's a zillion ways to set it up. start with a few rules regarding > lo0 and icmp. Then use stateful inspection and dynamic rules for the > rest of the wall. > > ... and by the way, I could see that a few of the scan came from RIPE > ranges. Do some digging and report it! > Even if the boxes are use without the owners awareness, you can [we all > can] bring this part to an end. > > respectfully > /per > per@xterm.dk > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?022001c3f23e$9b4b3fc0$fa10fea9>