From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 07:26:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50C1916A53A for ; Fri, 13 Feb 2004 07:26:09 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 23AE043D1D for ; Fri, 13 Feb 2004 07:26:09 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 4234 invoked by uid 98); 13 Feb 2004 15:29:33 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.491042 secs); 13 Feb 2004 15:29:33 -0000 X-Spam-Status: No, hits=0.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.491042 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 13 Feb 2004 15:29:32 -0000 Message-ID: <402CECD8.7020906@reversedhell.net> Date: Fri, 13 Feb 2004 17:27:20 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> In-Reply-To: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 15:26:10 -0000 Spades wrote: > Hi, > > I got this error when i tried to type for some of those. > "sysctl: unknown oid...." any idea.. > > my server seems to be very lagged, where else > the network connection seems fine, i think BSD > itself as my other redhat box is fine. > > What else can i do to get optimum protection. > > Thanks. > > ----- Original Message ----- > From: "Per Engelbrecht" > To: > Cc: > Sent: Saturday, February 07, 2004 5:58 PM > Subject: Re: SYN Attacks - how i cant stop it > > > >>Hi, >> >> >> >>>all nights. Check this. >>> >>>Feb 6 11:54:24 TCP: port scan detected [port 6667] from >>>212.165.80.117 [ports 63432,63453,63466,63499,63522,...] >>>Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - >> >> >> >> >>It's hard to get rid of shit-heads like this - I'm talking about the >>person doing this attac, that is. >>You send a looong output of a log, but no info on your system or any >>adjustments you have made (or not made) on your system i.e. kernel >>(options), sysctl (tweaks) and ipfw (rules). >>If the problem is out-of-bandwith (and your system already has been >>optimized) then the only real solution is more 'pipe' a.k.a the >>Microsoft-solution. >>So fare I've only been guessing, but here is what I normally do with my >>setup. I'm not telling you that this is the solution! just adwises! >> >>Kernel; >>options SC_DISABLE_REBOOT >>options IPFIREWALL >>options IPFIREWALL_VERBOSE >>options IPFIREWALL_VERBOSE_LIMIT=100 >>options IPDIVERT >>options IPFILTER >>options IPFILTER_LOG >>options IPSTEALTH (don't touch the ttl/can't see the wall) >>options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) >>options RANDOM_IP_ID (hard to do calculate ip frekv. number) >>options DUMMYNET (e.g. 40% for web, 30% for mail and so on) >>options DEVICE_POLLING (can't do this short and not with SMP) >>options HZ=1000 (can't do this short and not with SMP) >> >>Sysctl; >>kern.ipc.somaxconn=1024 #this is set high! >>kern.ipc.nmbclusters=65536 #this is set high! >>kern.polling.enable=1 #remember kernel options >>kern.polling.user_frac=50>90 #remember kernel options >>net.xorp.polling=1 >>net.xorp.poll_burst=10 >>net.xorp.poll_in_trap=3 >>(if you use dynamic rules in ipfw [stateful] you can tweak this) >>net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection >>net.inet.ip.fw.dyn_syn_lifetime=20 >>net.inet.ip.fw.dyn_fin_lifetime=20 >>net.inet.ip.fw.dyn_rst_lifetime=5 >>net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp >>net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules >>net.inet.ip.fw.dyn_count: #count of number of dynamic rules >> >>ipfw; >>There's a zillion ways to set it up. start with a few rules regarding >>lo0 and icmp. Then use stateful inspection and dynamic rules for the >>rest of the wall. >> >>... and by the way, I could see that a few of the scan came from RIPE >>ranges. Do some digging and report it! >>Even if the boxes are use without the owners awareness, you can [we all >>can] bring this part to an end. >> >>respectfully >>/per >>per@xterm.dk >> >> >> >> >>_______________________________________________ Most important, you did turn on syncookies, did you not? FreeBSD is pretty immune to syn floods. As for out of bandwidth, this has to do with your uplink and how much you pay for your traffic. root# sysctl net.inet.tcp.syncookies If it is not set to one, then do: root# sysctl net.inet.tcp.syncookies=1 Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1. A reboot would clear the tcp stack. You can't reboot remotely if kernel securelevel is enabled in /etc/rc.conf. If you don't have firewall support compiled in the kernel, kldload ipfw. Might be a good lesson to mirror back all incoming syn packets from the attacker's IP to him. To port 80, or 22, or to some any other open port. You can do that easely with ipfw. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E