FreeBSD firewall block syn flood attack

Mike Hoskins mike at adept.org
Wed May 21 15:11:54 PDT 2003 

> > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> > the internet. The servers are being attacked with syn floods and go down
> > multiple times a day.

>From disparate sources?  Start with a sniffer and attempt to understand
the nature of your attacker.  Is he clever?  If not, you may not have to
be that clever to defeat him.

> > The 7 servers belong to a client, who runs redhat.

Suggest grabbing the latest errata via up2date/rhn and ensuring syscookies
are enabled per others' suggestions.

On Tue, 20 May 2003, jeremie le-hen wrote:
> I don't think a firewall can achieve this, even if it has some matching
> options like the "limit" match in Netfilter, which permits to specify a
> maximum number of times a rule can match in a given period, since if the
> SYN-flood is cleverly done (ie. randomly spoofed), other valid connections
> attempts will be also limited.

Of course there is no single answer...

The overall effectiveness, as another pointed out, comes down to
bandwidth.  No matter how clever you are, if the attacker can maange to
use all available bandwidth...  they win.

If more providers properly filtered on their access devices, spoofing
would be much less of an issue.  Even with spoofing, attacks often follow
a typical "profile".

<aside>
Cisco's PIX supports embryonic session limits.  You can say "only allow
each client to start X connections to host:port".  If the limit is
exceeded, the client is blocked and subsequent connections (from the same
client, to the same host:port) are subjected to a backoff period.  So you
can limit how much damage an attacker can do from any single vantage
point.  In the typical botnet example with SYNs coming from thousands of
sources on tens to hundreds of different networks...  You can obviouslly
still consume all available bandwidth with a good firewall configuration.
This is very similar to using dummynet queues, netfilter's limit, etc.
You can mitigate certain attacks, but if the bandwidth's gone it doesn't
really matter.  Effectively stopping a determined attacker often involves
getting network providers involved.
</aside>

So...  There are things a firewall can do...  But the place to start is
ensuring you understand as much as possible about your attacker and the
mode of attack.

-mrh

--
From: "Spam Catcher" <spam-catcher at adept.org>
To: spam-catcher at adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!

More information about the freebsd-security mailing list