Date: Sun, 12 Dec 1999 21:00:31 -0800 (PST) From: Jaye Mathisen <mrcpu@internetcds.com> To: Greg Prosser <greg@snickers.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: SYN Hardening patches? / SYN Code in 3.4-RC Message-ID: <Pine.BSF.4.10.9912122059150.401-100000@schizo.cdsnet.net> In-Reply-To: <NDBBKDPPPIAOMPHNGECCCEPKCBAA.greg@snickers.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Note that changing maxusers bumps a lot of other parameters as well (look at param.c). You can just bump NMBCLUSTERS, maybe try 10k or so, work your way up from there. One obvious solution may be to try using some kind of bandwidth limiting on your upstream router. On Sun, 12 Dec 1999, Greg Prosser wrote: > Hey guys, sorry to throw off your weekends, but I have a few quick > questions that I'd like answers to, and searches turn up fairly little. > > First of all, I operate a machine that frequently comes under heavy denial > of service attacks, which often include SYN attacks. This often causes > kernel panics and reboots with messages logged as '/kernel: Out of mbuf > clusters - adjust NMBCLUSTERS or increase maxusers!'. I had maxusers at 256 > at that point, and had 'options NMBCLUSTERS=2048' in the kernel as well -- > it still failed. > I'm hoping that increasing maxusers to 512, and bumping NMBCLUSTERS to 4096 > is going to provide some help, but somehow I doubt it. (1MB/s of SYN packets > coming in does not fare well, and the unplanned boots are wreaking havok on > my filesystems). > I don't know what mbuf clusters even are, so any light on the situation > there could help too. As far as I've found, mbuf clusters are simply the > 'backlog' created by sending syn packets? For open sockets and the like.. > > I've explored LINT, and come across these options: > > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support > # for RFC1644 extensions and is not recommended for web servers. > # > # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST > packets. > # This is useful on systems which are exposed to SYN floods (e.g. IRC > servers) > # or any system which one does not want to be easily portscannable. > # > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST > > I added the second to the last kernel that did fault, and omitted the first > because we do run a webserver, and it just had that spooky sound with it > that rm -rf / gives off :) > > I've also come across a patch posted to a mailing list for FreeBSD 3.1, for > SYN_RATELIM'ing, sounds like this could also help. > (http://www2.merton.ox.ac.uk/~security/archive-199905/0282.html) > > I'm at a complete loss for what to do here -- I'd like the reboots to stop. > > Any help you could give me at all would be appreciated, whacks with > clue-by-fours aren't that bad either. > > Thanks in advance! > > . . . ... .. . .. .... . > x y s t @ s t r a y n e t . c o m __ > senior administrator, straynet online .--.--.--.--.-----.| |_ > it was designed to do that. honest. |_ _| | |__ --|| _| > icq: 10405504 aol im: xysters |__.__|___ |_____||____| > |_____| > Jennifer Lopez? -- Now THAT's big endian! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9912122059150.401-100000>