FreeBSD firewall block syn flood attack

jeremie le-hen le-hen_j at epita.fr
Tue May 20 02:58:06 PDT 2003 

> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.
> 
> The 7 servers belong to a client, who runs redhat.
> 
> I am trying to find a way to do some kind of syn flood protection inside the
> firewall. 

I don't think a firewall can achieve this, even if it has some matching
options like the "limit" match in Netfilter, which permits to specify a
maximum number of times a rule can match in a given period, since if the
SYN-flood is cleverly done (ie. randomly spoofed), other valid connections
attempts will be also limited.

IMHO, the only efficient way to achieve this is to use syncookies on the
servers themselves. You should tell your client to set CONFIG_SYNCOOKIES
in their Linux kernel (in fact, in RedHat, it should already be the case,
at least if the kernel is recent enough), and then to turn it on with:
	echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Here is a description of this sysctl:
tcp_syncookies - BOOLEAN
        Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
        Send out syncookies when the syn backlog queue of a socket 
        overflows. This is to prevent against the common 'syn flood attack'
        Default: FALSE

        Note, that syncookies is fallback facility.
        It MUST NOT be used to help highly loaded servers to stand
        against legal connection rate. If you see synflood warnings
        in your logs, but investigation shows that they occur
        because of overload with legal connections, you should tune
        another parameters until this warning disappear.
        See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

        syncookies seriously violate TCP protocol, do not allow
        to use TCP extensions, can result in serious degradation
        of some services (f.e. SMTP relaying), visible not by you,
        but your clients and relays, contacting you. While you see
        synflood warnings in logs not being really flooded, your server
        is seriously misconfigured.


Note that in fact, this might be achieved on your firewall (FreeBSD also
supports syncookies), but this would imply TCP SYN to be received by the
firewall itself, which in turn would forward the TCP connection to the
appropriate server once the connection would be fully established.
(I think a simple TCP tunnel with a NAT redirection to localhost should
work.)

Regards,
-- 
Jeremie aka TtZ/TataZ
jeremie.le-hen at epita.fr

More information about the freebsd-security mailing list