SYN Attacks - how i cant stop it

Spades spades at galaxynet.org
Fri Feb 13 06:35:21 PST 2004 

Hi,

I got this error when i tried to type for some of those.
"sysctl: unknown oid...." any idea..

my server seems to be very lagged, where else
the network connection seems fine, i think BSD
itself as my other redhat box is fine.

What else can i do to get optimum protection.

Thanks.

----- Original Message ----- 
From: "Per Engelbrecht" <per at xterm.dk>
To: <jhernandez at progrexive.com>
Cc: <freebsd-security at freebsd.org>
Sent: Saturday, February 07, 2004 5:58 PM
Subject: Re: SYN Attacks - how i cant stop it


> Hi,
>
> <snip>
> > all nights.  Check this.
> >
> > Feb  6 11:54:24 TCP: port scan detected [port 6667] from
> > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...]
> > Feb  6 11:58:09 TCP: port scan mode expired for 212.165.80.117 -
> <snip>
>
>
> It's hard to get rid of shit-heads like this - I'm talking about the
> person doing this attac, that is.
> You send a looong output of a log, but no info on your system or any
> adjustments you have made (or not made) on your system i.e. kernel
> (options), sysctl (tweaks) and ipfw (rules).
> If the problem is out-of-bandwith (and your system already has been
> optimized) then the only real solution is more 'pipe' a.k.a the
> Microsoft-solution.
> So fare I've only been guessing, but here is what I normally do with my
> setup. I'm not telling you that this is the solution! just adwises!
>
> Kernel;
> options      SC_DISABLE_REBOOT
> options      IPFIREWALL
> options      IPFIREWALL_VERBOSE
> options      IPFIREWALL_VERBOSE_LIMIT=100
> options      IPDIVERT
> options      IPFILTER
> options      IPFILTER_LOG
> options      IPSTEALTH   (don't touch the ttl/can't see the wall)
> options      TCP_DROP_SYNFIN   (drop tcp packet with syn+fin/scanner)
> options      RANDOM_IP_ID   (hard to do calculate ip frekv. number)
> options      DUMMYNET   (e.g. 40% for web, 30% for mail and so on)
> options      DEVICE_POLLING    (can't do this short and not with SMP)
> options      HZ=1000   (can't do this short and not with SMP)
>
> Sysctl;
> kern.ipc.somaxconn=1024      #this is set high!
> kern.ipc.nmbclusters=65536   #this is set high!
> kern.polling.enable=1         #remember kernel options
> kern.polling.user_frac=50>90  #remember kernel options
> net.xorp.polling=1
> net.xorp.poll_burst=10
> net.xorp.poll_in_trap=3
> (if you use dynamic rules in ipfw [stateful] you can tweak this)
> net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection
> net.inet.ip.fw.dyn_syn_lifetime=20
> net.inet.ip.fw.dyn_fin_lifetime=20
> net.inet.ip.fw.dyn_rst_lifetime=5
> net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp
> net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules
> net.inet.ip.fw.dyn_count:   #count of number of dynamic rules
>
> ipfw;
> There's a zillion ways to set it up. start with a few rules regarding
> lo0 and icmp. Then use stateful inspection and dynamic rules for the
> rest of the wall.
>
> ... and by the way, I could see that a few of the scan came from RIPE
> ranges. Do some digging and report it!
> Even if the boxes are use without the owners awareness, you can [we all
> can] bring this part to an end.
>
> respectfully
> /per
> per at xterm.dk
>
>
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list