search for: syncach

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:20 Security Advisory FreeBSD, Inc. Topic: syncache/syncookies denial of service Category: core Module: net Announced: 2002-04-16 Credits: Alan Judge <Alan.Judge@eircom.net> Dima Ruban <dima@FreeBSD.org> Affects: FreeBSD 4.5-RELEASE FreeBSD 4.4-STABLE after 2001-12-14 19:...

...mfsroot_type="mfs_root" mfsroot_name="/mfsboot" vfs.root.mountfrom="ufs:md0" vfs.root.mountfrom.options="rw" ## Tunables kern.ipc.nmbclusters=32768 net.inet.tcp.tcbhashsize=16384 vm.pmap.pg_ps_enabled=1 accf_http_load="YES" net.inet.tcp.syncache.hashsize=1024 net.inet.tcp.syncache.bucketlimit=100 The size of mfsboot is 600M. The diff between GENERIC and my kernel config, comments left in so people can see what I was doing 7.3ish: 28.43d26 < ### FBCD64 SPECIFIC < #options MD_ROOT_SIZE="524288" < options GEOM_U...

...004 @@ -414,6 +414,7 @@ u_long tcps_badsyn; /* bogus SYN, e.g. premature ACK */ u_long tcps_mturesent; /* resends due to MTU discovery */ u_long tcps_listendrop; /* listen queue overflows */ + u_long tcps_badrst; /* ignored RSTs in the window */ u_long tcps_sc_added; /* entry added to syncache */ u_long tcps_sc_retransmitted; /* syncache entry was retransmitted */ -------------- next part -------------- --- /usr/src/usr.bin/netstat/inet.c.old Fri Apr 23 22:19:43 2004 +++ /usr/src/usr.bin/netstat/inet.c Fri Apr 23 22:21:09 2004 @@ -415,6 +415,7 @@ p(tcps_accepts, "\t%lu connecti...

Hello, I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and the internet. The servers are being attacked with syn floods and go down multiple times a day. The 7 servers belong to a client, who runs redhat. I am trying to find a way to do some kind of syn flood protection inside the firewall. Any suggestions would be greatly appreciated. -- Ryan James ryan@mac2.net

.../amd64/amd64/exception.S:455 #16 0x0000000000000000 in ?? () #17 0x0000000000000000 in ?? () #18 0x0000000000000001 in ?? () in /boot/loader.conf I have: vm.kmem_size=1536M # 2 Mb KVA/kmem net.inet.tcp.tcbhashsize=131072 # 64M KVA kern.maxbcache=64M # 4M KVA kern.ipc.maxpipekva=4M # net.inet.tcp.syncache.hashsize=1024 net.inet.tcp.syncache.bucketlimit=100 in /etc/sysctl.conf # 576 Mb KVA/kmem kern.ipc.nmbclusters=262144 kern.ipc.nmbjumbop=65536 kern.ipc.maxsockets=307200 kern.ipc.somaxconn=4096 kern.maxfiles=307200 kern.maxfilesperproc=102400 $ sysctl vm.kvm_free vm.kvm_free: 327151616 netsta...

...inodedep 45 262K - 58 128 pagedep 6 65K - 17 64 p1003.1b 1 1K - 1 16 agp 2 65K - 2 16 NFS daemon 1 1K - 1 256 in6_multi 28 1K - 28 16,32,64 syncache 1 8K - 1 CAM queue 23 1K - 106 16 hostcache 1 24K - 1 in_multi 2 1K - 2 32 routetbl 28 3K - 65 16,32,64,128,256 CAM periph 7 1K - 10 128 lo...

...No accept filters are enabled by default. A system administrator must either compile the FreeBSD kernel with a particular accept filter option (such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in order to utilize accept filters. II. Problem Description In the process of adding a syncache to FreeBSD, mechanisms to remove entries from the incomplete listen queue were removed, as only sockets undergoing accept filtering now use the incomplete queue. III. Impact By simply connecting to a socket using accept filtering and holding a few hundred sockets open (~190 with the default back...

...0 rsp0 = 0xffffff9a3ea71bc0 gs32p = 0xffffffff814deab8 ldt = 0xffffffff814deaf8 tss = 0xffffffff814deae8 spin locks held: db:0:pcpu> bt Tracing pid 12 tid 100069 td 0xfffffe00264b8000 kdb_enter() at kdb_enter+0x3b panic() at panic+0x1d1 soabort() at soabort+0x99 syncache_expand() at syncache_expand+0x306 tcp_input() at tcp_input+0x1033 ip_input() at ip_input+0xbd netisr_dispatch_src() at netisr_dispatch_src+0x152 ether_demux() at ether_demux+0x17d ether_nh_input() at ether_nh_input+0x20e netisr_dispatch_src() at netisr_dispatch_src+0x152 ether_demux() at ether_dem...

Hi, I got this error when i tried to type for some of those. "sysctl: unknown oid...." any idea.. my server seems to be very lagged, where else the network connection seems fine, i think BSD itself as my other redhat box is fine. What else can i do to get optimum protection. Thanks. ----- Original Message ----- From: "Per Engelbrecht" <per@xterm.dk> To: