SYN Attacks - how i cant stop it

JJB Barbish3 at
Fri Feb 13 07:51:17 PST 2004

You talk about the net.inet.tcp.syncookies=1 knob,
how about an description on what it does and why you
are recommending using it.

How would one go about mirroring back the attackers
syn packets to port 80 or 22?
Please describe this easy method of yours.

-----Original Message-----
From: owner-freebsd-questions at
[mailto:owner-freebsd-questions at]On Behalf Of Anton
Sent: Friday, February 13, 2004 10:27 AM
To: freebsd-questions at
Cc: freebsd-security at
Subject: Re: SYN Attacks - how i cant stop it

Most important, you did turn on syncookies, did you not?

FreeBSD is pretty immune to syn floods. As for out of bandwidth,
has to do with your uplink and how much you pay for your traffic.

root# sysctl net.inet.tcp.syncookies

If it is not set to one, then do:
root# sysctl net.inet.tcp.syncookies=1

Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1.

A reboot would clear the tcp stack. You can't reboot remotely if
securelevel is enabled in /etc/rc.conf.

If you don't have firewall support compiled in the kernel, kldload

Might be a good lesson to mirror back all incoming syn packets from
attacker's IP to him. To port 80, or 22, or to some any other open
You can do that easely with ipfw.

Alin-Adrian Anton
Reversed Hell Networks
GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F
gpg --keyserver --recv-keys 1E2FFF2E
freebsd-questions at mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list