Date: Mon, 26 Jul 2021 13:59:14 +0100 From: Norman Gray <gray@nxg.name> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Detecting or mitigating syn-flood attacks Message-ID: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name>
next in thread | raw e-mail | index | archive | help
Greetings. Can anyone point me towards best-practice guidance on detecting and = mitigating syn-flood attacks, with a focus on FreeBSD? We run a login server, providing ssh access to our users, from the open = internet. It's running in a jail on a FreeBSD machine. This machine = (both jail and host) has recently become unresponsive on occasion, even = to the extent of it being impossible to log in on the console (the = password prompt never appears). Nothing in the logs. We _think_ we are = (or have been) victim to a syn-flood attack, but mostly on the grounds = of having ruled out most plausible alternatives: we're struggling to = find positive confirmation of this. So I have two related questions: 1. What should we be looking at, to confirm or refute this hypothesis? = And, supposing that the attack has stopped when we're looking, what = should we be monitoring to detect such a thing if it comes back? 2. Is there a best practice document that we should be working through? = The machine is in a jail, with firewall rules which are, I _think_, as = restrictive as is compatible with the service's purpose of having port = 22 open to the internet. A few extra observations: I thought I'd be able to find all sorts of information and guidance on = this, but my google-fu seems lacking. Regarding the sshd configuration, = <https://docs.freebsd.org/en/books/handbook/security/#openssh>; makes a = few points, which we're already observing. The machine's sshd_config is = pretty restrictive: I'm reasonably comfortable I understand the = important parts of the sshd configuration, but there's always more to = learn. In any case, my own uncertainty is more with the pf = configuration than the sshd one. I see for example = <https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-atta= ck-nginx-go-offline.23912/>, = but that's rather terse, and now 10 years old. There are of course various 'top 20 ssh best practices !1!!' documents = here and there, but their recommendations, while not necessarily wrong, = tend to be rather voodoo, which doesn't make me trust them much. I'm comfortable with basic pf configuration, but I haven't so far had to = venture very far off-shore. I'm reluctant to type in firewall rules I = don't understand (*cough*). I'm also using blacklistd on the jail host, with all its eccentricities. Best wishes, Norman -- = Norman Gray : https://nxg.me.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57893A91-2180-441F-836F-66EAC526FBB8>