Site Navigation

Date:      Wed, 08 May 2002 01:57:45 -0500
From:      Greg Panula <greg.panula@dolaninformation.com>
To:        Patrick Thomas <root@utility.clubscholarship.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: what does a syncookies attack look like ?
Message-ID:  <3CD8CC69.47021F06@dolaninformation.com>
References:  <20020507214035.B8475-100000@utility.clubscholarship.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Patrick Thomas wrote:
> 
> The reason we suspect it is an attack - or at least an outside influence -
> is that the crash/hang occurs at exxactly the same time every day.  Of
> course the first reaction to that would be "probably a cron job" ...
> however we have ruled that out by setting the system time to the time that
> it crashes .. at times of the day with analogous (or greater) load than
> when it really does crash.  When we artificially set the time to the "zero
> hour" nothing happens.
> 
> However, when that time comes up in the "real world", the server hangs
> like I described. 
.
.
.
> tcpdump on the machine itself and on the firewall reveals nothing
> interesting.  Not an interesting level of traffic in terms of transactions
> or bandwidth.  We're going crazy here trying to figure it out.  We are
> running the very first 4.5-RELEASE, and we have so far only patched the
> included sshd, and done the chmod on the `keylink` file or whatever it waw
> that was suid root.  Otherwise it is a stock very first release of
> 4.5-RELEASE.
> 
> thanks for any suggestions/help,
> 

The answer to your problem it probably related to security advisory:
FreeBSD-SA-02:20  "syncache/syncookies denial of service"

The full text of the advisory can be found at:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A20.syncache.asc

All of the security advisories can be found at:
http://www.freebsd.org/security/index.html#adv


A google search for 'syncookies' or 'synflooding' should turn up some useful
information about SYN flooding and the use syncookies as a defense.

I found a quick description at:
http://www.incidents.org/diary/november01/110801.php

"On some operating systems it is possible to configure the 
kernel to use a SYN flood protection mechanism known as 
SYNcookies. The idea is that, if the server should detect 
a SYN flood attack, it can stop keeping state on waiting-to-be-
completed three way handshakes, and switch to a challenge-response 
mechanism for accepting new connections. 

When in "flood protection mode" the server embeds a cryptographically 
strong "cookie" in the TCP header of each SYN-ACK it sends. This 
cookie is a state-keeping mechanism. If a real client is actually 
engaged on the other end of the connection, the client will 
automatically return the cookie to the server when responding 
with the final ACK of the three-way-handshake. Thus, the server 
can completely forget about the connection after sending the 
SYN-ACK, because all the state data required to establish the 
new connection arrives in the final ACK. "

Good luck,
  Greg



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CD8CC69.47021F06>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact