Hello, I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and the internet. The servers are being attacked with syn floods and go down multiple times a day. The 7 servers belong to a client, who runs redhat. I am trying to find a way to do some kind of syn flood protection inside the firewall. Any suggestions would be greatly appreciated. -- Ryan James ryan@mac2.net
On Tue, May 20, 2003 at 01:52:00AM -0500, Ryan James wrote:> Hello, > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > I am trying to find a way to do some kind of syn flood protection inside the > firewall.SYN floods are difficult to "protect" against. In the past, the only way I have been able to deal with them is to block all communication to the hosts being attacked, and allow communication again when the attack ends. The difficulty comes in when the attacker realises that you are effectively combatting the attack, and then proceeds to increase the ferocity of the attack until either all of our bandwidth is consumed, or your network equipment cannot handle the rate of packets coming in. Best thing to do is just take the hosts off the network. I normally use packet filter rules to achieve this.
On Tue, 2003-05-20 at 08:52, Ryan James wrote:> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day.> I am trying to find a way to do some kind of syn flood protection inside the > firewall.On a few of my systems I have built dummynet pipes to limit the destroying effect of SYN-floods. By limiting incoming SYNs to a few packets per seconds (the systems don't have many legit incoming connection requests per second) I can be sure my boxes will survive the attack. A way to do this is create seperate pipes for every service, so even though the pipe for port 80 is full, the pipe for 25 might still have some room.. Of course, since you're limiting a lot, the DoS is easier: legitimate connections won't succeed either. But.. First, a system going down (crash/swamp/explode) is worse than a system which only doesn't accept connections. Immediately after the DoS-attack stops the servers will be available again. Secondly: most scriptkiddies are pretty stupid. I've seen quite a few SYN-floods to ports where nothing was listening on, and thus were firewalled off. Such attacks are quite pointless, except for the bandwidth-use. This might be the case in your situation (you didn't tell ;). If so: just create a firewall rule blocking all incoming packets for those ports and the dummynet queue won't fill up with bogus traffic. Of course a little tcpdumping might help too. I've had a 1K big packets ping-flood of 40Mbit/s from just 29 systems, by using tcpdump I could easily figure out which traffic I wanted to block. Filtering such an attack is easy and doable performance-wise. Hope this helps a bit and good luck! Pieter
> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall.I don't think a firewall can achieve this, even if it has some matching options like the "limit" match in Netfilter, which permits to specify a maximum number of times a rule can match in a given period, since if the SYN-flood is cleverly done (ie. randomly spoofed), other valid connections attempts will be also limited. IMHO, the only efficient way to achieve this is to use syncookies on the servers themselves. You should tell your client to set CONFIG_SYNCOOKIES in their Linux kernel (in fact, in RedHat, it should already be the case, at least if the kernel is recent enough), and then to turn it on with: echo 1 >/proc/sys/net/ipv4/tcp_syncookies Here is a description of this sysctl: tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured. Note that in fact, this might be achieved on your firewall (FreeBSD also supports syncookies), but this would imply TCP SYN to be received by the firewall itself, which in turn would forward the TCP connection to the appropriate server once the connection would be fully established. (I think a simple TCP tunnel with a NAT redirection to localhost should work.) Regards, -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr
Ryan James wrote:> > Hello, > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. > > Any suggestions would be greatly appreciated.Wouldn't syn cookies help in this situation? Since the firewall is a bridge, you would have to enable syn cookies on the affected redhat box. According to this link: http://cr.yp.to/syncookies.html linux supports syn cookies. ' echo 1 > /proc/sys/net/ipv4/tcp_syncookies ' but are not enabled by default. I believe they are enabled by default on FreeBSD. :) Otherwise to use syn cookies at the firewall, the firewall would have to have syn cookies enabled(sysctl variable net.inet.tcp.syncookies) and nat the incoming traffic. I haven't done any testing of syn cookies' protection against syn floods but it is what they were designed for. :) good luck, greg
On (2003/05/20 01:52), Ryan James wrote:n> Hello, > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall.You could use snort quite effectively here. You can set up snort to act as an active packet filter, in conjunction with a firewall. Then obtain a few signature packets and craft a snort rule to activate the dropping of these packets. The problem with using an IDS in line with a firewall is that you run the horrible risk of false positives. Proceed with extreme caution. :) Hope that helps. James. -- James Ainslie Systems Administrator "Power corrupts, and absolute power corrupts absolutely" Lord Acton So who says FreeBSD isnt a corrupt OS?