From owner-freebsd-security@FreeBSD.ORG Mon May 19 11:02:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0D5037B401 for ; Mon, 19 May 2003 11:02:31 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 368B243F3F for ; Mon, 19 May 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4JI2VUp065461 for ; Mon, 19 May 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4JI2UX2065455 for security@freebsd.org; Mon, 19 May 2003 11:02:30 -0700 (PDT) Date: Mon, 19 May 2003 11:02:30 -0700 (PDT) Message-Id: <200305191802.h4JI2UX2065455@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2003 18:02:32 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon May 19 12:08:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 551EF37B401; Mon, 19 May 2003 12:08:45 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id 4C3BA43FA3; Mon, 19 May 2003 12:08:44 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id PAA06777; Mon, 19 May 2003 15:08:33 -0400 Date: Mon, 19 May 2003 15:08:32 -0400 (EDT) From: To: In-Reply-To: <200305191802.h4JI2UX2065455@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2003 19:08:45 -0000 On Mon, 19 May 2003 bugmaster@freebsd.org wrote: > Current FreeBSD problem reports > No matches to your query Thank god. I'm too busy these days for PROBLEM reports! From owner-freebsd-security@FreeBSD.ORG Mon May 19 23:51:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0A4837B404 for ; Mon, 19 May 2003 23:51:22 -0700 (PDT) Received: from dragon.eaze.net (dragon.eaze.net [216.228.128.254]) by mx1.FreeBSD.org (Postfix) with SMTP id 4F94043FB1 for ; Mon, 19 May 2003 23:51:22 -0700 (PDT) (envelope-from ryan@mac2.net) Received: (qmail 12927 invoked from network); 20 May 2003 07:24:58 -0000 Received: from mail.eaze.net (216.228.128.3) by dragon.eaze.net with SMTP; 20 May 2003 07:24:58 -0000 Received: (qmail 22329 invoked from network); 20 May 2003 07:57:11 -0000 Received: from h-66-134-7-41.dllatx37.covad.net (HELO ?192.168.0.100?) (66.134.7.41) by mail.eaze.net with SMTP; 20 May 2003 07:57:11 -0000 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Tue, 20 May 2003 01:52:00 -0500 From: Ryan James To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 06:51:23 -0000 Hello, I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and the internet. The servers are being attacked with syn floods and go down multiple times a day. The 7 servers belong to a client, who runs redhat. I am trying to find a way to do some kind of syn flood protection inside the firewall. Any suggestions would be greatly appreciated. -- Ryan James ryan@mac2.net From owner-freebsd-security@FreeBSD.ORG Tue May 20 00:34:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD3B337B401 for ; Tue, 20 May 2003 00:34:27 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1420143F93 for ; Tue, 20 May 2003 00:34:25 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.14) id 19I1dg-000L4f-Ee; Tue, 20 May 2003 00:34:24 -0700 Date: Tue, 20 May 2003 00:34:24 -0700 From: Avleen Vig To: Ryan James Message-ID: <20030520073424.GH49820@silverwraith.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i Sender: Avleen Vig cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 07:34:28 -0000 On Tue, May 20, 2003 at 01:52:00AM -0500, Ryan James wrote: > Hello, > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > I am trying to find a way to do some kind of syn flood protection inside the > firewall. SYN floods are difficult to "protect" against. In the past, the only way I have been able to deal with them is to block all communication to the hosts being attacked, and allow communication again when the attack ends. The difficulty comes in when the attacker realises that you are effectively combatting the attack, and then proceeds to increase the ferocity of the attack until either all of our bandwidth is consumed, or your network equipment cannot handle the rate of packets coming in. Best thing to do is just take the hosts off the network. I normally use packet filter rules to achieve this. From owner-freebsd-security@FreeBSD.ORG Tue May 20 01:11:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C87737B401 for ; Tue, 20 May 2003 01:11:39 -0700 (PDT) Received: from thedarkside.nl (cc31301-c.assen1.dr.home.nl [212.120.68.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AA1A43FBF for ; Tue, 20 May 2003 01:11:37 -0700 (PDT) (envelope-from g.p.de.boer@st.hanze.nl) Received: from edinburgh (edinburgh [10.0.0.3]) by thedarkside.nl (8.12.8p1/8.12.8) with ESMTP id h4K8BYXY061922; Tue, 20 May 2003 10:11:34 +0200 (CEST) (envelope-from g.p.de.boer@st.hanze.nl) From: "G.P. de Boer" To: Ryan James In-Reply-To: References: Content-Type: text/plain Organization: Message-Id: <1053418338.552.15.camel@edinburgh> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1 Date: 20 May 2003 10:12:18 +0200 Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 08:11:39 -0000 On Tue, 2003-05-20 at 08:52, Ryan James wrote: > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > I am trying to find a way to do some kind of syn flood protection inside the > firewall. On a few of my systems I have built dummynet pipes to limit the destroying effect of SYN-floods. By limiting incoming SYNs to a few packets per seconds (the systems don't have many legit incoming connection requests per second) I can be sure my boxes will survive the attack. A way to do this is create seperate pipes for every service, so even though the pipe for port 80 is full, the pipe for 25 might still have some room.. Of course, since you're limiting a lot, the DoS is easier: legitimate connections won't succeed either. But.. First, a system going down (crash/swamp/explode) is worse than a system which only doesn't accept connections. Immediately after the DoS-attack stops the servers will be available again. Secondly: most scriptkiddies are pretty stupid. I've seen quite a few SYN-floods to ports where nothing was listening on, and thus were firewalled off. Such attacks are quite pointless, except for the bandwidth-use. This might be the case in your situation (you didn't tell ;). If so: just create a firewall rule blocking all incoming packets for those ports and the dummynet queue won't fill up with bogus traffic. Of course a little tcpdumping might help too. I've had a 1K big packets ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could easily figure out which traffic I wanted to block. Filtering such an attack is easy and doable performance-wise. Hope this helps a bit and good luck! Pieter From owner-freebsd-security@FreeBSD.ORG Tue May 20 02:58:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 012AF37B401 for ; Tue, 20 May 2003 02:58:06 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C160743FBF for ; Tue, 20 May 2003 02:58:04 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h4K9w0m04590 for freebsd-security@freebsd.org EPITA Paris France Tue, 20 May 2003 11:58:00 +0200 (MEST) Date: Tue, 20 May 2003 11:58:00 +0200 From: jeremie le-hen To: freebsd-security@freebsd.org Message-ID: <20030520095759.GA26095@carpediem.epita.fr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 09:58:06 -0000 > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. I don't think a firewall can achieve this, even if it has some matching options like the "limit" match in Netfilter, which permits to specify a maximum number of times a rule can match in a given period, since if the SYN-flood is cleverly done (ie. randomly spoofed), other valid connections attempts will be also limited. IMHO, the only efficient way to achieve this is to use syncookies on the servers themselves. You should tell your client to set CONFIG_SYNCOOKIES in their Linux kernel (in fact, in RedHat, it should already be the case, at least if the kernel is recent enough), and then to turn it on with: echo 1 >/proc/sys/net/ipv4/tcp_syncookies Here is a description of this sysctl: tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured. Note that in fact, this might be achieved on your firewall (FreeBSD also supports syncookies), but this would imply TCP SYN to be received by the firewall itself, which in turn would forward the TCP connection to the appropriate server once the connection would be fully established. (I think a simple TCP tunnel with a NAT redirection to localhost should work.) Regards, -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr From owner-freebsd-security@FreeBSD.ORG Tue May 20 05:36:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 554EF37B401 for ; Tue, 20 May 2003 05:36:22 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id DBE8F43FAF for ; Tue, 20 May 2003 05:36:20 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 43205 invoked by uid 0); 20 May 2003 12:36:20 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.436687 secs); 20 May 2003 12:36:20 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: ryan@mac2.net,freebsd-security@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.436687 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 20 May 2003 12:36:17 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 20 May 2003 07:36:17 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3ECA2141.7804A81@dolaninformation.com> Date: Tue, 20 May 2003 07:36:17 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Ryan James References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 12:36:22 -0000 Ryan James wrote: > > Hello, > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. > > Any suggestions would be greatly appreciated. Wouldn't syn cookies help in this situation? Since the firewall is a bridge, you would have to enable syn cookies on the affected redhat box. According to this link: http://cr.yp.to/syncookies.html linux supports syn cookies. ' echo 1 > /proc/sys/net/ipv4/tcp_syncookies ' but are not enabled by default. I believe they are enabled by default on FreeBSD. :) Otherwise to use syn cookies at the firewall, the firewall would have to have syn cookies enabled(sysctl variable net.inet.tcp.syncookies) and nat the incoming traffic. I haven't done any testing of syn cookies' protection against syn floods but it is what they were designed for. :) good luck, greg From owner-freebsd-security@FreeBSD.ORG Tue May 20 06:46:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F4C337B401 for ; Tue, 20 May 2003 06:46:53 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F80E43FCB for ; Tue, 20 May 2003 06:46:52 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 90869 invoked from network); 20 May 2003 13:46:51 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 20 May 2003 13:46:51 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 20 May 2003 08:45:34 -0500 (CDT) From: Mike Silbersack To: jeremie le-hen In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr> Message-ID: <20030520084338.W56510@odysseus.silby.com> References: <20030520095759.GA26095@carpediem.epita.fr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 13:46:53 -0000 On Tue, 20 May 2003, jeremie le-hen wrote: > Note that in fact, this might be achieved on your firewall (FreeBSD also > supports syncookies), but this would imply TCP SYN to be received by the > firewall itself, which in turn would forward the TCP connection to the > appropriate server once the connection would be fully established. > (I think a simple TCP tunnel with a NAT redirection to localhost should > work.) > > Regards, > -- > Jeremie aka TtZ/TataZ > jeremie.le-hen@epita.fr You could certainly pull that off with an application level proxy, but the disadvantage would be that the server would no longer be able to determine the source IP of the machines connecting to it. It would be possible to add the syncache / syncookies to ipfw so that it could be used to protect hosts behind it, but I don't think anyone has tried an implementation of that yet. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Wed May 21 08:58:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F95837B401 for ; Wed, 21 May 2003 08:58:35 -0700 (PDT) Received: from fw.loc.ipnoz.net (ALyon-209-2-1-2.w80-14.abo.wanadoo.fr [80.14.204.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94B0943F75 for ; Wed, 21 May 2003 08:58:33 -0700 (PDT) (envelope-from tom@ipnoz.com) Received: from xtom (tom.in.loc.ipnoz.net [192.168.1.8]) by fw.loc.ipnoz.net (8.12.9/8.12.9) with SMTP id h4LFwQad063524 for ; Wed, 21 May 2003 17:58:28 +0200 (CEST) (envelope-from tom@ipnoz.com) Message-ID: <018801c31fb2$663cb480$0801a8c0@xtom> From: "Tom Dymond - Ipnoz" To: Date: Wed, 21 May 2003 18:02:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: netstat/ipcs inside jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 15:58:35 -0000 Hi, i've got this problem with my jail and i'm abolutly lost as in the why of it. I previously posted this on comp.unix.bsd.freebsd.misc but i was advised to send here I was unable to find help on google :( To resume quick, when i'm in a jail, netstat doesn't work properly. Hopefully i have provided sufficient information for anyone willing to help me :p First of all, my system : FreeBSD cube.kmem.org 4.8-STABLE FreeBSD 4.8-STABLE #6: Tue May 20 22:22:47 CEST 2003 root@cube.kmem.org:/usr/obj/usr/src/sys/ruby2 i386 System was updated, mergemaster done, kernel in sync with world. The interfaces par of my rc.conf from the host : ifconfig_rl1="inet 10.0.2.1 netmask 255.255.255.0" ifconfig_rl1_alias0="inet 10.0.2.6 netmask 0xffffffff" route_0="10.0.2.6 -iface lo0" inetd_flags="-wW -a 10.0.2.1" portmap_enable="NO" --- - my sysctls for the jail are set as follows and are loaded by /etc/sysctl.conf > sysctl -a | grep jail jail.set_hostname_allowed: 0 jail.socket_unixiproute_only: 0 jail.sysvipc_allowed: 1 - my kernel is compiled with these options > grep SYSV ruby2 options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores - df looks like this : > df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ar0s1a 128990 47838 70834 40% / /dev/ar0s1f 1032142 16 949556 0% /tmp /dev/ar0s1g 74232392 36708258 31585544 54% /usr /dev/ar0s1e 1032142 22036 927536 2% /var procfs 4 4 0 100% /proc procfs 4 4 0 100% /usr/home/jail/10.0.2.6/proc - jail is loaded by /usr/local/etc/rc.d by these 2 commands : mount -t procfs proc /usr/home/jail/10.0.2.6/proc jail /usr/home/jail/10.0.2.6 jail.kmem.org 10.0.2.6 /bin/sh /etc/rc - when i'm out of jail and i do this : > ipcs -a i get this : Message Queues: T ID KEY MODE OWNER GROUP CREATOR CGROUP CBYTES QNUM QBYTES LSPID LRPID STIME RTIME CTIME Shared Memory: T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME m 6946816 0 --rw------- tom tom tom tom 2 196608 3414 3380 9:59:36 10:50:07 9:59:36 Semaphores: T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS OTIME CTIME however, if i'm in the jail and i do the same command, i get this : ipcs: short read SVID messages facility not configured in the system ipcs: short read SVID shared memory facility not configured in the system ipcs: short read SVID semaphores facility not configured in the system if I launch a netstat inside a jail, I get a unlimited amount of lines that look like this, until I ^C netstat: short read netstat: short read netstat: short read ... The rc.conf of the jail : hostname="jail.kmem.org" portmap_enable="NO" network_interfaces="" sshd_enable="YES" sendmail_enable="NO" inetd_flags="-wW -a 10.0.2.6" - this is what ifconfig looks like OUT of jail : rl0: flags=8843 mtu 1500 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1 ether 00:50:8d:47:e5:67 media: Ethernet autoselect (10baseT/UTP) status: active rl1: flags=8843 mtu 1500 inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255 inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2 inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6 ether 00:50:fc:47:84:38 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 vlan0: flags=0<> mtu 1500 ether 00:00:00:00:00:00 vlan: 0 parent interface: lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 tun0: flags=8051 mtu 1492 inet 81.50.114.213 --> 81.50.114.1 netmask 0xffffff00 Opened by PID 68 tun2: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa inet 10.0.2.1 --> 10.0.3.1 netmask 0xff000000 Opened by PID 258 tun1: flags=8051 mtu 1500 inet 10.0.2.1 --> 192.168.1.1 netmask 0xff000000 inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb Opened by PID 3290 - this is what ifconfig looks like IN the jail : rl0: flags=8843 mtu 1500 inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1 ether 00:50:8d:47:e5:67 media: Ethernet autoselect (10baseT/UTP) status: active rl1: flags=8843 mtu 1500 inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2 inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6 ether 00:50:fc:47:84:38 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 vlan0: flags=0<> mtu 1500 ether 00:00:00:00:00:00 vlan: 0 parent interface: lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 ppp0: flags=8010 mtu 1500 tun0: flags=8051 mtu 1492 Opened by PID 68 tun2: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa Opened by PID 258 tun1: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb Opened by PID 3290 --> when i built the jail, i cvsupped the stable branch, then i followed the prodedure described in man jail. i then rebuilt my kernel maybe i'm missing a device in the jail, maybe i have a route problem. maybe it's the absence of the loopback .. i'm not sure what to look for really. i rebuilt the world on the host with exactly the same sources as the jail, all is sync. --> With putty's logging feature i managed to grab this : netstat Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 52 jail.ssh ALyon-209-2-1-2..2484 ESTABLISHED tcp4 0 0 jail.smtp *.* LISTEN tcp4 0 0 jail.ssh *.* LISTEN tcp4 0 0 jail.telnet *.* LISTEN tcp4 0 0 jail.domain *.* LISTEN udp4 0 0 jail.syslog *.* udp4 0 0 jail.ntp *.* udp4 0 0 jail.domain *.* netstat: short read netstat: short read netstat: short read .....(goes on for miles and miles if i dont ^C) just in case : kmem and the kernel are linked to the jails dev/null cube# ll /usr/home/jail/10.0.2.6/dev/kmem lrwx------ 1 root wheel 4 May 21 17:05 /usr/home/jail/10.0.2.6/dev/kmem -> null cube# ll /usr/home/jail/10.0.2.6/kernel lrwxr-xr-x 1 root wheel 8 May 17 17:08 /usr/home/jail/10.0.2.6/kernel -> dev/null ----- Thanks in avance for any possible help Tom From owner-freebsd-security@FreeBSD.ORG Wed May 21 10:45:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D450F37B401 for ; Wed, 21 May 2003 10:45:02 -0700 (PDT) Received: from mail.npubs.com (mail.wsfamily.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0990D43F3F for ; Wed, 21 May 2003 10:45:02 -0700 (PDT) (envelope-from nielsen@memberwebs.com) Resent-Message-Id: From: "Nielsen" To: "Tom Dymond - Ipnoz" , References: <018801c31fb2$663cb480$0801a8c0@xtom> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20030521164808.674273FF2B7@mail.npubs.com> Resent-Date: Wed, 21 May 2003 16:48:09 +0000 (GMT) Resent-From: nielsen@memberwebs.com (Postfix Filters) Subject: Re: netstat/ipcs inside jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 21 May 2003 17:45:03 -0000 X-List-Received-Date: Wed, 21 May 2003 17:45:03 -0000 > From: "Tom Dymond - Ipnoz" > > if I launch a netstat inside a jail, I get a unlimited amount of lines that > look like this, until I ^C > netstat: short read > netstat: short read > netstat: short read > ... > I'd just like to add ... from experience (running many many jails) netstat works fine in certain jails but not others. I haven't been able to figure out exactly what the differing issue is. Nate Nielsen From owner-freebsd-security@FreeBSD.ORG Wed May 21 15:11:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 969A637B401 for ; Wed, 21 May 2003 15:11:54 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A46E43F85 for ; Wed, 21 May 2003 15:11:54 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 175421524B; Wed, 21 May 2003 15:08:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 166DC15247 for ; Wed, 21 May 2003 15:08:24 -0700 (PDT) Date: Wed, 21 May 2003 15:08:24 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr> Message-ID: <20030521145102.C33754@fubar.adept.org> References: <20030520095759.GA26095@carpediem.epita.fr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 22:11:54 -0000 > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > > the internet. The servers are being attacked with syn floods and go down > > multiple times a day. >From disparate sources? Start with a sniffer and attempt to understand the nature of your attacker. Is he clever? If not, you may not have to be that clever to defeat him. > > The 7 servers belong to a client, who runs redhat. Suggest grabbing the latest errata via up2date/rhn and ensuring syscookies are enabled per others' suggestions. On Tue, 20 May 2003, jeremie le-hen wrote: > I don't think a firewall can achieve this, even if it has some matching > options like the "limit" match in Netfilter, which permits to specify a > maximum number of times a rule can match in a given period, since if the > SYN-flood is cleverly done (ie. randomly spoofed), other valid connections > attempts will be also limited. Of course there is no single answer... The overall effectiveness, as another pointed out, comes down to bandwidth. No matter how clever you are, if the attacker can maange to use all available bandwidth... they win. If more providers properly filtered on their access devices, spoofing would be much less of an issue. Even with spoofing, attacks often follow a typical "profile". So... There are things a firewall can do... But the place to start is ensuring you understand as much as possible about your attacker and the mode of attack. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Wed May 21 22:54:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7516637B401 for ; Wed, 21 May 2003 22:54:09 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B229B43F75 for ; Wed, 21 May 2003 22:54:08 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA09677; Wed, 21 May 2003 23:53:56 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030521234939.02fbdc20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 21 May 2003 23:53:54 -0600 To: Mike Silbersack , jeremie le-hen From: Brett Glass In-Reply-To: <20030520084338.W56510@odysseus.silby.com> References: <20030520095759.GA26095@carpediem.epita.fr> <20030520095759.GA26095@carpediem.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2003 05:54:09 -0000 At 07:45 AM 5/20/2003, Mike Silbersack wrote: >It would be possible to add the syncache / syncookies to ipfw so that it >could be used to protect hosts behind it, but I don't think anyone has >tried an implementation of that yet. This would require the creation of a general transparent TCP proxy which did the 3-way handshake and then connected to the internal host only if the handshake succeeded. Trouble is, it would need to translate sequence numbers throughout the entire session. Could be done with divert sockets and a daemon like natd, I imagine. --Brett From owner-freebsd-security@FreeBSD.ORG Thu May 22 15:22:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4D8737B401 for ; Thu, 22 May 2003 15:22:38 -0700 (PDT) Received: from computer.multihaven.org (rrcs-midsouth-24-172-21-179.biz.rr.com [24.172.21.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF0B143FB1 for ; Thu, 22 May 2003 15:22:33 -0700 (PDT) (envelope-from jeremy@multihaven.org) Received: from engineering.multihaven.org (engineering.multihaven.org [192.168.215.2])h4MMMVJV000734 for ; Thu, 22 May 2003 18:22:31 -0400 (EDT) (envelope-from jeremy@multihaven.org) Message-Id: <5.2.0.9.2.20030522181931.00baf808@computer.multihaven.org> X-Sender: jeremy@computer.multihaven.org (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 22 May 2003 18:22:31 -0400 To: freebsd-security@freebsd.org From: Jer Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: NAT+IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2003 22:22:39 -0000 Dear all I need to do the following I have a fbsd router that runs nat and routes some public IP addresses I ned to use the ipfw rules to deny traffic from the public IP's AND the nat o do bandwidth limiting eg deny tcp from 192.168.200.1 to www.yahoo.com http out and deny tcp from 24.199.213.1 to www.yahoo.com http out my questions are where do I place the rules in relation to the divert rules etc Thanks From owner-freebsd-security@FreeBSD.ORG Thu May 22 17:00:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD8CA37B401 for ; Thu, 22 May 2003 17:00:07 -0700 (PDT) Received: from athenas.yan.com.br (athenas.yan.com.br [200.202.253.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 6F94243F85 for ; Thu, 22 May 2003 17:00:05 -0700 (PDT) (envelope-from ddg@yan.com.br) Received: (qmail 9675 invoked by uid 1023); 22 May 2003 20:58:30 -0300 Message-ID: <20030522235830.9674.qmail@athenas.yan.com.br> To: freebsd-config@freebsd.org, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-net@freebsd.org From: "ddg" Date: Thu, 22 May 2003 20:58:30 --300 X-Priority: 3 X-Mailer: Yan Internet Webmail 1.0 X-Originating-IP: [200.202.253.162] MIME-Version: 1.0 Content-Type: text/plain; charset= X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: VPN IPSEC WIRELESS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2003 00:00:08 -0000 I am having problems in the implementation of a VPN, below made a project of my net: INTRANET (10.0.0.0/24) | 10.0.0.5 xl0 NetBSD IPNAT ( map wi0 10.0.0.0/24 -> 192.168.213.10 ) wi0 192.168.213.10/30 | | Wireless VPN | | 192.168.213.9/30 xl2 FreeBSD NATD ( divert natd all from any to any ) xl0 200.x.x.5/24 | 200.x.x.1/24 Router | | INTERNET NetBSD Node ( ipsec.conf ): spdadd 192.168.213.10 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.213.10-192.168.213.9/require; spdadd 0.0.0.0/0 192.168.213.10 any -P in ipsec esp/tunnel/192.168.213.9-192.168.213.10/require; FreeBSD Node ( ipsec.conf ): spdadd 0.0.0.0/0 192.168.213.10 any -P out ipsec esp/tunnel/192.168.213.9-192.168.213.10/require; spdadd 192.168.213.10 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.213.10-192.168.213.9/require; The connection between the NetBSD and the FreeBSD work correctly. The problem is when I make a connection of the computer with IP 10.0.0.1 to an IP in the Internet. I do not know to make a rule for ipsec.conf that he makes with that the connections of 10.0.0.0/24 are directed for inside of tunnel. Somebody knows the solution? []s Daniel Dias Gonçalves f22@netbsd.com.br ---- From owner-freebsd-security@FreeBSD.ORG Sat May 24 23:57:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90A6437B401 for ; Sat, 24 May 2003 23:57:17 -0700 (PDT) Received: from port995.com (port995.com [213.162.97.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0B0A43F85 for ; Sat, 24 May 2003 23:57:16 -0700 (PDT) (envelope-from sansan@cas.port995.com) Received: by port995.com (Port995 Mail, from userid 77) id 5C31614076B7; Sun, 25 May 2003 07:57:11 +0100 (BST) Received: from cas.port995.com (Authenticated SMTP client) by port995.com (Port995 Mail) with ESMTP id 1CD0B14076AE for ; Sun, 25 May 2003 07:57:10 +0100 (BST) Message-ID: <3ED06967.90306@cas.port995.com> Date: Sun, 25 May 2003 07:57:43 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2003 06:57:17 -0000 root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted. root@vigilante /root cuaa1# sysctl -a |grep secure kern.securelevel: 3 root@vigilante /root cuaa1# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 44 3648 deny ip from any to any root@vigilante /root cuaa1# ping 216.136.204.21 PING 216.136.204.21 (216.136.204.21): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 216.136.204.21 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss root@vigilante /root cuaa1# telnet 216.136.204.21 80 Trying 216.136.204.21... telnet: connect to address 216.136.204.21: Permission denied telnet: Unable to connect to remote host root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 net.inet.ip.fw.enable: 1 -> 0 root@vigilante /root cuaa1# ping 216.136.204.21 PING 216.136.204.21 (216.136.204.21): 56 data bytes 64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms 64 bytes from 216.136.204.21: icmp_seq=1 ttl=50 time=346.135 ms ^C --- 216.136.204.21 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 338.878/342.506/346.135/3.629 ms root@vigilante /root cuaa1# telnet 216.136.204.21 80 Trying 216.136.204.21... Connected to freefall.freebsd.org. Escape character is '^]'. quit 501 Method Not Implemented

Method Not Implemented

quit to /index.html not supported.

Invalid method in request quit / HTTP/1.1

Connection closed by foreign host. Santos