Detecting or mitigating syn-flood attacks

Norman Gray gray at nxg.name
Mon Jul 26 12:59:25 UTC 2021 

Greetings.

Can anyone point me towards best-practice guidance on detecting and 
mitigating syn-flood attacks, with a focus on FreeBSD?

We run a login server, providing ssh access to our users, from the open 
internet.   It's running in a jail on a FreeBSD machine.  This machine 
(both jail and host) has recently become unresponsive on occasion, even 
to the extent of it being impossible to log in on the console (the 
password prompt never appears).  Nothing in the logs.  We _think_ we are 
(or have been) victim to a syn-flood attack, but mostly on the grounds 
of having ruled out most plausible alternatives: we're struggling to 
find positive confirmation of this.

So I have two related questions:

1. What should we be looking at, to confirm or refute this hypothesis?  
And, supposing that the attack has stopped when we're looking, what 
should we be monitoring to detect such a thing if it comes back?

2. Is there a best practice document that we should be working through?  
The machine is in a jail, with firewall rules which are, I _think_, as 
restrictive as is compatible with the service's purpose of having port 
22 open to the internet.

A few extra observations:

I thought I'd be able to find all sorts of information and guidance on 
this, but my google-fu seems lacking.

Regarding the sshd configuration, 
<https://docs.freebsd.org/en/books/handbook/security/#openssh> makes a 
few points, which we're already observing.  The machine's sshd_config is 
pretty restrictive: I'm reasonably comfortable I understand the 
important parts of the sshd configuration, but there's always more to 
learn.  In any case, my own uncertainty is more with the pf 
configuration than the sshd one.

I see for example 
<https://forums.freebsd.org/threads/pf-with-altq-when-under-synflood-attack-nginx-go-offline.23912/>, 
but that's rather terse, and now 10 years old.

There are of course various 'top 20 ssh best practices !1!!' documents 
here and there, but their recommendations, while not necessarily wrong, 
tend to be rather voodoo, which doesn't make me trust them much.

I'm comfortable with basic pf configuration, but I haven't so far had to 
venture very far off-shore.  I'm reluctant to type in firewall rules I 
don't understand (*cough*).

I'm also using blacklistd on the jail host, with all its eccentricities.

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk

More information about the freebsd-questions mailing list