SYN Attacks - how i cant stop it

Per Engelbrecht per at xterm.dk
Sat Feb 7 01:55:05 PST 2004 

Hi,

<snip>
> all nights.  Check this.
>
> Feb  6 11:54:24 TCP: port scan detected [port 6667] from
> 212.165.80.117 [ports 63432,63453,63466,63499,63522,...]
> Feb  6 11:58:09 TCP: port scan mode expired for 212.165.80.117 -
<snip>


It's hard to get rid of shit-heads like this - I'm talking about the
person doing this attac, that is.
You send a looong output of a log, but no info on your system or any
adjustments you have made (or not made) on your system i.e. kernel
(options), sysctl (tweaks) and ipfw (rules).
If the problem is out-of-bandwith (and your system already has been
optimized) then the only real solution is more 'pipe' a.k.a the
Microsoft-solution.
So fare I've only been guessing, but here is what I normally do with my
setup. I'm not telling you that this is the solution! just adwises!

Kernel;
options      SC_DISABLE_REBOOT
options      IPFIREWALL
options      IPFIREWALL_VERBOSE
options      IPFIREWALL_VERBOSE_LIMIT=100
options      IPDIVERT
options      IPFILTER
options      IPFILTER_LOG
options      IPSTEALTH   (don't touch the ttl/can't see the wall)
options      TCP_DROP_SYNFIN   (drop tcp packet with syn+fin/scanner)
options      RANDOM_IP_ID   (hard to do calculate ip frekv. number)
options      DUMMYNET   (e.g. 40% for web, 30% for mail and so on)
options      DEVICE_POLLING    (can't do this short and not with SMP)
options      HZ=1000   (can't do this short and not with SMP)

Sysctl;
kern.ipc.somaxconn=1024      #this is set high!
kern.ipc.nmbclusters=65536   #this is set high!
kern.polling.enable=1         #remember kernel options
kern.polling.user_frac=50>90  #remember kernel options
net.xorp.polling=1
net.xorp.poll_burst=10
net.xorp.poll_in_trap=3
(if you use dynamic rules in ipfw [stateful] you can tweak this)
net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection
net.inet.ip.fw.dyn_syn_lifetime=20
net.inet.ip.fw.dyn_fin_lifetime=20
net.inet.ip.fw.dyn_rst_lifetime=5
net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp
net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules
net.inet.ip.fw.dyn_count:   #count of number of dynamic rules

ipfw;
There's a zillion ways to set it up. start with a few rules regarding
lo0 and icmp. Then use stateful inspection and dynamic rules for the
rest of the wall.

... and by the way, I could see that a few of the scan came from RIPE
ranges. Do some digging and report it!
Even if the boxes are use without the owners awareness, you can [we all
can] bring this part to an end.

respectfully
/per
per at xterm.dk

More information about the freebsd-security mailing list