From owner-freebsd-hackers Sun Jan 5 22:53:37 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 360F637B401 for ; Sun, 5 Jan 2003 22:53:36 -0800 (PST) Received: from bluejay.mail.pas.earthlink.net (bluejay.mail.pas.earthlink.net [207.217.120.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id B794343EC2 for ; Sun, 5 Jan 2003 22:53:35 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0140.cvx22-bradley.dialup.earthlink.net ([209.179.198.140] helo=mindspring.com) by bluejay.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18VR8a-0003SF-00; Sun, 05 Jan 2003 22:53:29 -0800 Message-ID: <3E192770.43B3D489@mindspring.com> Date: Sun, 05 Jan 2003 22:51:28 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: soralx@cydem.zp.ua Cc: freebsd-hackers@freebsd.org Subject: Re: DDoS attacks, packets captured ... not sure what to do. References: <20030105145150.N80512-100000@mail.econolodgetulsa.com> <200301052332.59925.soralx@cydem.zp.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4514a76ae5714e65bbbd20139614637f8a8438e0f32a48e08350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG soralx@cydem.zp.ua wrote: > > 1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do > > not exist on the target. > > this is not a 'SYN flood'; 'SYN flood'=TCP SYN+FIN > seems like someone is continuosly using TCP SYN "half-open" > scan to get your open ports, or just sends random SYN pakets This works really well as a denial of service for FreeBSD, since it fills up the SYN cache, forcing the use of SYN cookies. A secondary attack, after the SYN cache has been filled once to force the SYN cookie flag on, is to send ACK's, forcing the FreeBSD box to do relatively expensive cryptographic calculations on the ACK, to see if it's an ACK with a valid SYN cookie. An exhaustive search of the sequence number space after that (to discover a valid SYN cookie) can lead to people being able to open connections without the SYN/SYN-ACK. The benefit to overflowing to the point of getting a valid SYN coookie for this exploit is that you can, in that packet, include data payload. By doing that, you can basically send a data payload to a FreeBSD daemon, using a spoofed source IP address, and have it do something, which is not something you could do, without having SYN cookies. Aside from the other good advice in the previous posting, I suggest that you disable SYN cookies. Another useful thing to do is limit the number of connections per second from a given source IP address, and to limit the total number of connection "in progress" from a given IP address. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message