SYN Flood
Derrick T. Woolworth
dwoolworth at gmail.com
Sun Aug 20 23:28:32 UTC 2006
I forwarded a message to the security officer about this issue, but I still
haven't been able to narrow down whats happening enough to guarantee its
just not a bug.
I'm running -CURRENT on one server. Our Internet router/firewall is a
6.1-STABLE system running PF, routing two class C's or a /23 subnet
actually.
I didn't have any trouble until I put the -CURRENT system on our LAN and
attempted to make it a router/firewall system.
The route is 64.199.142.240/28 => 64.199.142.60, so I'm merely routing a few
IP's at the -CURRENT system
uname -a
FreeBSD mbfw.mb.rndkc.com 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sun Aug 20
15:29:02 CDT 2006 root at mbfw.mb.rndkc.com:/usr/src/sys/amd64/compile/MBFW
amd64
router's ethernet addr: 00:0d:87:e9:c0:40 'vr' driver
new -current system's public interface eth addr: 00:16:e6:52:cd:47 'nve'
driver
After leaving tcpdump running until this happens (which, things run away for
2 to 3 minutes and then stop), I've captured this:
17:42:33.829685 00:0d:87:e9:c0:40 > 00:08:54:b1:45:18, ethertype IPv4
(0x0800), length 60: 81.176.69.92.80 > 64.199.142.47.1490: S
3842711808:3842711808(0) ack 2054160385 win 16384
0x0000: 4500 0028 0100 4000 5b06 b8cd 51b0 455c E..(.. at .[...Q.E\
0x0010: 40c7 8e2f 0050 05d2 e50b 2100 7a70 0001 @../.P....!.zp..
0x0020: 5012 4000 8330 0000 0715 9e32 ef00 P. at ..0.....2..
17:42:33.831281 00:16:e6:52:cd:47 > 00:08:54:b1:45:18, ethertype IPv4
(0x0800), length 54: 81.176.69.92.80 > 64.199.142.47.1490: S
3842711808:3842711808(0) ack 2054160385 win 16384
0x0000: 4500 0028 0100 4000 5906 bacd 51b0 455c E..(.. at .Y...Q.E\
0x0010: 40c7 8e2f 0050 05d2 e50b 2100 7a70 0001 @../.P....!.zp..
0x0020: 5012 4000 8330 0000 P. at ..0..
17:42:33.832700 00:0d:87:e9:c0:40 > 00:0e:0c:b1:b4:0c, ethertype IPv4
(0x0800), length 60: 81.176.69.92.80 > 64.199.142.88.1527: S
199865344:199865344(0) ack 1390346241 win 16384
0x0000: 4500 0028 0100 4000 5b06 b8a4 51b0 455c E..(.. at .[...Q.E\
0x0010: 40c7 8e58 0050 05f7 0be9 b400 52df 0001 @..X.P......R...
0x0020: 5012 4000 f095 0000 d443 0000 69d9 P. at ......C..i.
17:42:33.833752 00:16:e6:52:cd:47 > 00:0e:0c:b1:b4:0c, ethertype IPv4
(0x0800), length 54: 81.176.69.92.80 > 64.199.142.88.1527: S
199865344:199865344(0) ack 1390346241 win 16384
0x0000: 4500 0028 0100 4000 5906 baa4 51b0 455c E..(.. at .Y...Q.E\
0x0010: 40c7 8e58 0050 05f7 0be9 b400 52df 0001 @..X.P......R...
0x0020: 5012 4000 f095 0000 P. at .....
17:42:33.851227 00:0d:87:e9:c0:40 > 00:50:04:60:34:fd, ethertype IPv4
(0x0800), length 60: 81.176.69.92.80 > 64.199.142.148.1918: S
1499637248:1499637248(0) ack 830603265 win 16384
0x0000: 4500 0028 0100 4000 5b06 b868 51b0 455c E..(.. at .[..hQ.E\
0x0010: 40c7 8e94 0050 077e 5962 a600 3182 0001 @....P.~Yb..1...
0x0020: 5012 4000 d0b6 0000 0050 4f20 0001 P. at ......PO...
17:42:33.852111 00:16:e6:52:cd:47 > 00:50:04:60:34:fd, ethertype IPv4
(0x0800), length 54: 81.176.69.92.80 > 64.199.142.148.1918: S
1499637248:1499637248(0) ack 830603265 win 16384
0x0000: 4500 0028 0100 4000 5906 ba68 51b0 455c E..(.. at .Y..hQ.E\
0x0010: 40c7 8e94 0050 077e 5962 a600 3182 0001 @....P.~Yb..1...
0x0020: 5012 4000 d0b6 0000 P. at .....
17:42:33.854137 00:0d:87:e9:c0:40 > 00:04:5f:40:0d:2b, ethertype IPv4
(0x0800), length 60: 81.176.69.92.80 > 64.199.143.232.1656: S
3817299712:3817299712(0) ack 1325531137 win 16384
0x0000: 4500 0028 0100 4000 5b06 b714 51b0 455c E..(.. at .[...Q.E\
0x0010: 40c7 8fe8 0050 0678 e387 5f00 4f02 0001 @....P.x.._.O...
0x0020: 5012 4000 6fc3 0000 0000 0000 0000 P. at .o.........
17:42:33.854177 00:16:e6:52:cd:47 > 00:0d:87:e9:c0:40, ethertype IPv4
(0x0800), length 54: 81.176.69.92.80 > 64.199.143.232.1656: S
3817299712:3817299712(0) ack 1325531137 win 16384
0x0000: 4500 0028 0100 4000 5906 b914 51b0 455c E..(.. at .Y...Q.E\
0x0010: 40c7 8fe8 0050 0678 e387 5f00 4f02 0001 @....P.x.._.O...
0x0020: 5012 4000 6fc3 0000 P. at .o...
17:42:33.854338 00:0d:87:e9:c0:40 > 00:04:5f:40:0d:2b, ethertype IPv4
(0x0800), length 60: 81.176.69.92.80 > 64.199.143.232.1656: S
3817299712:3817299712(0) ack 1325531137 win 16384
0x0000: 4500 0028 0cb6 0000 5806 ee5e 51b0 455c E..(....X..^Q.E\
0x0010: 40c7 8fe8 0050 0678 e387 5f00 4f02 0001 @....P.x.._.O...
0x0020: 5012 4000 6fc3 0000 03f3 e59a 3200 P. at .o.......2.
17:42:33.854365 00:16:e6:52:cd:47 > 00:0d:87:e9:c0:40, ethertype IPv4
(0x0800), length 54: 81.176.69.92.80 > 64.199.143.232.1656: S
3817299712:3817299712(0) ack 1325531137 win 16384
0x0000: 4500 0028 0cb6 0000 5606 f05e 51b0 455c E..(....V..^Q.E\
0x0010: 40c7 8fe8 0050 0678 e387 5f00 4f02 0001 @....P.x.._.O...
0x0020: 5012 4000 6fc3 0000 P. at .o...
I'm watching this on the -current system's public interface and on the
router's LAN facing interface.
I suppose the first odd thing is why or how is my switch is showing the
-current system's public/LAN facing interface this SYN packet that isn't
destined for it. Even worse, however, is the -current's nve interface
duplicates these packets - and where is the 81.176.69.92 IP address coming
from?
The packets occur often and from different IP addresses. I can't tell if
the first SYN packet in is actually valid or not, but since these max out a
100mb connection, you can imagine that our main firewall/router's LAN
interface is maxing out the CPU (swi1: net has used 545 hours of CPU time
and irq23: vr0 588 hours). The -current system is similar with the nve
driver.
Has anyone seen this kind of behavior? Do I have some kind of weird viral
thing happening or a switch problem? The switch has been really stable for
us - a Cisco 4003 with 68 ports... I just haven't seen anything like this
before - getting a SYN flood from all kinds of addresses and yet if I watch
the public router/firewall interface, I only have outbound packets from the
network.
Sorry if I'm posting to the wrong list, but this only started occuring when
we added this -current server to our network... I'm just wondering if there
could be some odd behavior with the updates to the nve driver?
Thanks,
D
--
Derrick T. Woolworth
R&D Technology, LLC. http://www.rndtechnology.com
More information about the freebsd-current
mailing list