FreeBSD firewall block syn flood attack

[G.P. de Boer]

On Tue, 2003-05-20 at 08:52, Ryan James wrote:

> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.

> I am trying to find a way to do some kind of syn flood protection inside the
> firewall. 

On a few of my systems I have built dummynet pipes to limit the
destroying effect of SYN-floods. By limiting incoming SYNs to a few
packets per seconds (the systems don't have many legit incoming
connection requests per second) I can be sure my boxes will survive the
attack. A way to do this is create seperate pipes for every service, so
even though the pipe for port 80 is full, the pipe for 25 might still
have some room..

Of course, since you're limiting a lot, the DoS is easier: legitimate
connections won't succeed either. But..

First, a system going down (crash/swamp/explode) is worse than a system
which only doesn't accept connections. Immediately after the DoS-attack
stops the servers will be available again. 
Secondly: most scriptkiddies are pretty stupid. I've seen quite a few
SYN-floods to ports where nothing was listening on, and thus were
firewalled off. Such attacks are quite pointless, except for the
bandwidth-use. This might be the case in your situation (you didn't tell
;). If so: just create a firewall rule blocking all incoming packets for
those ports and the dummynet queue won't fill up with bogus traffic. 

Of course a little tcpdumping might help too. I've had a 1K big packets
ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could
easily figure out which traffic I wanted to block. Filtering such an
attack is easy and doable performance-wise.

Hope this helps a bit and good luck!
Pieter