FreeBSD firewall block syn flood attack
jeremie le-hen
le-hen_j at epita.fr
Tue May 20 02:58:06 PDT 2003
> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.
>
> The 7 servers belong to a client, who runs redhat.
>
> I am trying to find a way to do some kind of syn flood protection inside the
> firewall.
I don't think a firewall can achieve this, even if it has some matching
options like the "limit" match in Netfilter, which permits to specify a
maximum number of times a rule can match in a given period, since if the
SYN-flood is cleverly done (ie. randomly spoofed), other valid connections
attempts will be also limited.
IMHO, the only efficient way to achieve this is to use syncookies on the
servers themselves. You should tell your client to set CONFIG_SYNCOOKIES
in their Linux kernel (in fact, in RedHat, it should already be the case,
at least if the kernel is recent enough), and then to turn it on with:
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
Here is a description of this sysctl:
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.
Note that in fact, this might be achieved on your firewall (FreeBSD also
supports syncookies), but this would imply TCP SYN to be received by the
firewall itself, which in turn would forward the TCP connection to the
appropriate server once the connection would be fully established.
(I think a simple TCP tunnel with a NAT redirection to localhost should
work.)
Regards,
--
Jeremie aka TtZ/TataZ
jeremie.le-hen at epita.fr
More information about the freebsd-security
mailing list