From owner-freebsd-security Wed Jan 24 6:33:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from neo.spbnit.ru (mail.spbnit.ru [212.48.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 853AA37B6A2 for ; Wed, 24 Jan 2001 06:33:06 -0800 (PST) Received: from localhost.localdomain (ppp-200.pool-121.spbnit.ru [212.48.199.200]) by neo.spbnit.ru (8.9.3+mPOP/8.9.3) with SMTP id RAA37500 for ; Wed, 24 Jan 2001 17:33:01 +0300 (MSK) From: "Mr. Blackman" Reply-To: blackman@blackman.ru To: freebsd-security@freebsd.org Subject: DoS: socket: No buffer space available Date: Wed, 24 Jan 2001 17:32:52 +0300 X-Mailer: KMail [version 1.0.29] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <01012417332701.31962@localhost.localdomain> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Last days our server was DoSed (I'm sure). Ok, facts: The Problem: IP socket: No buffer space available UNIX Socket : No buffer space available Victim: FreeBSD 3.4 Kernel compiled with these options: options ICMP_BANDLIM options TCP_DROP_SYNFIN options TCP_RESTRICT_RST options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 /etc/rc.conf: tcp_drop_synfin="YES" tcp_restrict_rst="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/rc.firewall" firewall_quiet="NO" ### TCP STACK TUNING ### # TCP send/receive spaces sysctl -w net.inet.tcp.sendspace=32768 sysctl -w net.inet.tcp.recvspace=32768 # Socket queue defense against SYN attacks sysctl -w kern.ipc.somaxconn=1024 #!!! sysctl -w net.inet.icmp.drop_redirect=1 sysctl -w net.inet.icmp.log_redirect=1 sysctl -w net.inet.ip.redirect=0 sysctl -w net.inet6.ip6.redirect=0 sysctl -w net.link.ether.inet.max_age=1200 sysctl -w net.inet.ip.sourceroute=0 sysctl -w net.inet.ip.accept_sourceroute=0 sysctl -w net.inet.icmp.bmcastecho=0 sysctl -w net.inet.icmp.maskrepl=0 ### END TCP STACK TUNING ### On this server all packets are filtered with IPFW and _all_, except 53 udp are in "deny". Yes, I know about "named DoS", but the server is completely down. And only reboot solve the problem. Where is the problem, where is salvation?:) Thank you for attention. Mr. Blackman, Security Officer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message