Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 05 Jan 2003 22:51:28 -0800
From:      Terry Lambert <tlambert2@mindspring.com>
To:        soralx@cydem.zp.ua
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: DDoS attacks, packets captured ... not sure what to do.
Message-ID:  <3E192770.43B3D489@mindspring.com>
References:  <20030105145150.N80512-100000@mail.econolodgetulsa.com> <200301052332.59925.soralx@cydem.zp.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
soralx@cydem.zp.ua wrote:
> > 1. a ton of   TCP  SYN,   [1658]  -> [106] 3COM-TSMUX   to ports that do
> > not exist on the target.
> 
> this is not a 'SYN flood'; 'SYN flood'=TCP SYN+FIN
> seems like someone is continuosly using TCP SYN "half-open"
> scan to get your open ports, or just sends random SYN pakets

This works really well as a denial of service for FreeBSD, since
it fills up the SYN cache, forcing the use of SYN cookies.

A secondary attack, after the SYN cache has been filled once to
force the SYN cookie flag on, is to send ACK's, forcing the FreeBSD
box to do relatively expensive cryptographic calculations on the
ACK, to see if it's an ACK with a valid SYN cookie.

An exhaustive search of the sequence number space after that (to
discover a valid SYN cookie) can lead to people being able to open
connections without the SYN/SYN-ACK.

The benefit to overflowing to the point of getting a valid SYN
coookie for this exploit is that you can, in that packet, include
data payload.

By doing that, you can basically send a data payload to a FreeBSD
daemon, using a spoofed source IP address, and have it do something,
which is not something you could do, without having SYN cookies.

Aside from the other good advice in the previous posting, I suggest
that you disable SYN cookies.


Another useful thing to do is limit the number of connections per
second from a given source IP address, and to limit the total number
of connection "in progress" from a given IP address.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E192770.43B3D489>