Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Aug 2008 13:11:50 -0400
From:      Tom Huppi <tomh@huppi.com>
To:        FreeBSD <freebsd@optiksecurite.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: syn flood, tcpdump readings
Message-ID:  <20080807171150.GD10818@huppi.com>
In-Reply-To: <489B1049.9000002@optiksecurite.com>
References:  <20080807101825.GC10818@huppi.com> <489B1049.9000002@optiksecurite.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11:10 Thu 07 Aug     , FreeBSD wrote:
> Tom Huppi a ?crit :
> >I have been using 'pf' for about 8 months now, and it has been
> >rock solid and a real pleasure to use.  I built it into: FreeBSD
> >6.3-PRERELEASE (PEO2) #2: Mon Dec 10 19:45:05 PST 2007.  I've
> >not wished to re-start PF for 7 months since it is doing live
> >traffic and I didn't do a pfsync implementation (won't make that
> >mistake again and am working on such a solution now.)
> >
> >I am makeing high use of the load balancer and it is extreamly
> >useful to us.
> >
> >My gateway host acts as a simple router with three physical
> >interfaces, but I only filter on the interface connected to my
> >provider (set skip on { lo0 em0 bce1 }).
> >
> >Anyway, I am getting what I believe to be syn floods
> >periodically.  They dwarf my production traffic and sometimes
> >get close to producing as much bandwith as we are paying for.  A
> >representative sample looks like so when viewed with tcpdump on
> >my outward interface ('em1'):
> >
> >21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 
> >27394048:27394048(0) win 16384
> >21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 
> >1793916928:1793916928(0) win 16384
> >21:36:53.870325 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 
> >1669070848:1669070848(0) win 16384
> >21:36:53.870369 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 
> >601948160:601948160(0) win 16384
> >21:36:53.870371 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 
> >1129906176:1129906176(0) win 16384
> >21:36:53.870373 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 
> >1231945728:1231945728(0) win 16384
> >21:36:53.870375 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 
> >1524105216:1524105216(0) win 16384
> >21:36:53.870377 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 
> >1212678144:1212678144(0) win 16384
> >21:36:53.870381 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 
> >27394048:27394048(0) win 16384
> >21:36:53.870383 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 
> >1793916928:1793916928(0) win 16384
> >21:36:53.870385 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 
> >1669070848:1669070848(0) win 16384
> >21:36:53.870396 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 
> >601948160:601948160(0) win 16384
> >21:36:53.870403 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 
> >1129906176:1129906176(0) win 16384
> >21:36:53.870409 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 
> >1231945728:1231945728(0) win 16384
> >21:36:53.870416 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 
> >1524105216:1524105216(0) win 16384
> >21:36:53.870422 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 
> >1212678144:1212678144(0) win 16384
> >
> >
> >I run 'pfstat' and here is a representative chart showing
> >bandwidth.  The chart of packets almost completely obscures real
> >traffic since the syn packets are small:
> >
> >http://www.huppi.com/t/tmp/pfstat_2days.png
> >
> >
> >My confusion is that my charts show outgoing traffic matching
> >incomming traffic, but I see no outgoing with tcpdump.  My
> >uplink is Gig ethernet rate-limited by my network provider.  I
> >think perhaps the outgoing traffic is something other than TCP,
> >but I wanted to ask on this list since I couldn't spot an answer
> >in surfing around and network stuff is really not my area of
> >expertise.
> >
> >My fear is that I actually am responding in some manner to these
> >packets and either inviting more of these attacks, or worse,
> >allowing my service to attack other people (say if the incomming
> >IP was spoofed to an attack target.)
> >
> >---
> >
> >A slightly less important question is whether attacks like this
> >are 'par for the course' and expected, and how bad they can
> >get.  I do fear that at an inopertune time I will recieve an
> >attack which consumes all of my bandwith and causes performance
> >issues for my real traffic.  (I'm developing more faith in
> >PF's ability to handle things...so far I see no degradation
> >whatsoever durring these attacks.)
> >
> >
> >My typical rules look like so:
> >
> >pass proto tcp from any to <pool_taslb_100> port $tase_int_ports flags 
> >S/SA synproxy state
> >
> >and I really only notice attacks after I started using
> >'synproxy'.  Whether I had them prior and just didn't notice, I
> >am not sure.  I've not used any of the 'max-*' stuff because I
> >don't fully understand the problem and issues, and I am using a
> >somewhat dated codebase.
> >
> >---
> >
> >Thanks for any thoughts, hints, pointers, etc.
> >
> > - Tom
> >
> Hi,
> 
> I think that you should look at the 'scrub' directive in pf.conf. I 
> think that a 'scrub in all' should block that kind of malformed packets.

I have used 'scrub' in one form or another from the start.  My
current one looks like so:

  scrub    on $ext_if all reassemble tcp
  #scrub in on $ext_if
  #scrub in all

Actally, I think that PF is doing a fine job of 'blocking' the
packets, but I of course have limited control over the packets
getting to my gateway in the first place.

I was probably not clear on my question.  To re-phrase:

1) Am I really sending out as much bandwidth as I am recieving
   when these trillions of packets arrive?

2) If so, why can I not see the traffic with tcpdump?

Thanks for any insights,

 - Tom




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080807171150.GD10818>