Detecting or mitigating syn-flood attacks
Arthur Chance
freebsd at qeng-ho.org
Mon Jul 26 13:36:50 UTC 2021
On 26/07/2021 13:59, Norman Gray wrote:
>
> Greetings.
>
> Can anyone point me towards best-practice guidance on detecting and
> mitigating syn-flood attacks, with a focus on FreeBSD?
>
> We run a login server, providing ssh access to our users, from the open
> internet. It's running in a jail on a FreeBSD machine. This machine
> (both jail and host) has recently become unresponsive on occasion, even
> to the extent of it being impossible to log in on the console (the
> password prompt never appears). Nothing in the logs. We _think_ we are
> (or have been) victim to a syn-flood attack, but mostly on the grounds
> of having ruled out most plausible alternatives: we're struggling to
> find positive confirmation of this.
>
> So I have two related questions:
>
> 1. What should we be looking at, to confirm or refute this hypothesis?
> And, supposing that the attack has stopped when we're looking, what
> should we be monitoring to detect such a thing if it comes back?
This is theoretical, I have no personal experience, but you might want
to look at the net.inet.tcp.syncache MIB tree. sysctl -d
net.inet.tcp.syncache for quick descriptions.
net.inet.tcp.syncache.count would seem to be the first thing to watch,
and tweaking net.inet.tcp.syncache.cachelimit or
net.inet.tcp.syncookies_only might help, but I'd wait until someone more
knowledgable than me chips in.
> 2. Is there a best practice document that we should be working through?
> The machine is in a jail, with firewall rules which are, I _think_, as
> restrictive as is compatible with the service's purpose of having port
> 22 open to the internet.
>
> A few extra observations:
>
> I thought I'd be able to find all sorts of information and guidance on
> this, but my google-fu seems lacking.
>
> Regarding the sshd configuration,
> <https://docs.freebsd.org/en/books/handbook/security/#openssh> makes a
> few points, which we're already observing. The machine's sshd_config is
> pretty restrictive: I'm reasonably comfortable I understand the
> important parts of the sshd configuration, but there's always more to
> learn. In any case, my own uncertainty is more with the pf
> configuration than the sshd one.
>
> I see for example
> <https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-attack-nginx-go-offline.23912/>,
> but that's rather terse, and now 10 years old.
>
> There are of course various 'top 20 ssh best practices !1!!' documents
> here and there, but their recommendations, while not necessarily wrong,
> tend to be rather voodoo, which doesn't make me trust them much.
>
> I'm comfortable with basic pf configuration, but I haven't so far had to
> venture very far off-shore. I'm reluctant to type in firewall rules I
> don't understand (*cough*).
>
> I'm also using blacklistd on the jail host, with all its eccentricities
--
Nothing teaches one not to try to stamp out burning thermite quite
like real-life experience.
— James Davis Nicoll
More information about the freebsd-questions
mailing list