Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
release
Chuck Swiger
cswiger at mac.com
Thu Mar 22 01:20:52 UTC 2012
On Mar 21, 2012, at 7:15 AM, Seyit Özgür wrote:
> Hello chris,
I'm Chuck, but no matter.
> Here i get tcpdump with X param..
>
> First look input errors.. its about 60 mbit/sec and much more packets can't
> process
>
> packets errs idrops bytes packets errs bytes colls
> 36356 42777 0 7747642 243 0 263462 0
> 36732 41709 0 7681242 240 0 359432 0
[ ... ]
60 mbit/s of SYNs is a pretty significant DoS attack. You should be involving your ISP to filter the source IPs before they hit your pipe, and probably pull in the police and/or national CERT organization.
> Then tcpdump with X param, also i attach txt file in mail..
>
> 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp
> 0x0000: 4500 0050 10ba 07d0 6b06 7382 5885 0f4e E..P....k.s.X..N
> 0x0010: 556f 065a f386 0050 45c4 8c77 9592 0241 Uo.Z...PE..w...A
> 0x0020: 00a3 3c4c b5a3 0000 8807 a83a f215 b40d ..<L.......:....
> 0x0030: 0006 acb5 0038 8f76 afd7 3d00 0000 0000 .....8.v..=.....
> 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
From inspection, that looks to be a normal TCP over IPv4 SYN packet from client port 62342 to your port 80...I didn't validate the checksums, though. (No real point in obscuring the destination IP address, as it's in the packets you're showing.)
Regards,
--
-Chuck
More information about the freebsd-net
mailing list