Detecting or mitigating syn-flood attacks

Arthur Chance freebsd at
Mon Jul 26 13:36:50 UTC 2021

On 26/07/2021 13:59, Norman Gray wrote:
> Greetings.
> Can anyone point me towards best-practice guidance on detecting and
> mitigating syn-flood attacks, with a focus on FreeBSD?
> We run a login server, providing ssh access to our users, from the open
> internet.   It's running in a jail on a FreeBSD machine.  This machine
> (both jail and host) has recently become unresponsive on occasion, even
> to the extent of it being impossible to log in on the console (the
> password prompt never appears).  Nothing in the logs.  We _think_ we are
> (or have been) victim to a syn-flood attack, but mostly on the grounds
> of having ruled out most plausible alternatives: we're struggling to
> find positive confirmation of this.
> So I have two related questions:
> 1. What should we be looking at, to confirm or refute this hypothesis? 
> And, supposing that the attack has stopped when we're looking, what
> should we be monitoring to detect such a thing if it comes back?

This is theoretical, I have no personal experience, but you might want
to look at the net.inet.tcp.syncache MIB tree. sysctl -d
net.inet.tcp.syncache for quick descriptions.

net.inet.tcp.syncache.count would seem to be the first thing to watch,
and tweaking net.inet.tcp.syncache.cachelimit or
net.inet.tcp.syncookies_only might help, but I'd wait until someone more
knowledgable than me chips in.

> 2. Is there a best practice document that we should be working through? 
> The machine is in a jail, with firewall rules which are, I _think_, as
> restrictive as is compatible with the service's purpose of having port
> 22 open to the internet.
> A few extra observations:
> I thought I'd be able to find all sorts of information and guidance on
> this, but my google-fu seems lacking.
> Regarding the sshd configuration,
> <> makes a
> few points, which we're already observing.  The machine's sshd_config is
> pretty restrictive: I'm reasonably comfortable I understand the
> important parts of the sshd configuration, but there's always more to
> learn.  In any case, my own uncertainty is more with the pf
> configuration than the sshd one.
> I see for example
> <>,
> but that's rather terse, and now 10 years old.
> There are of course various 'top 20 ssh best practices !1!!' documents
> here and there, but their recommendations, while not necessarily wrong,
> tend to be rather voodoo, which doesn't make me trust them much.
> I'm comfortable with basic pf configuration, but I haven't so far had to
> venture very far off-shore.  I'm reluctant to type in firewall rules I
> don't understand (*cough*).
> I'm also using blacklistd on the jail host, with all its eccentricities
Nothing teaches one not to try to stamp out burning thermite quite
like real-life experience.
			— James Davis Nicoll

More information about the freebsd-questions mailing list