Re: syn flood, tcpdump readings

Mon, 11 Aug 2008 08:21:31 -0700 


Tom Huppi wrote:

On 12:32 Thu 07 Aug     , David DeSimone wrote:

  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Huppi <[EMAIL PROTECTED]> wrote:

    

Anyway, I am getting what I believe to be syn floods
periodically.  They dwarf my production traffic and sometimes
get close to producing as much bandwith as we are paying for.  A
representative sample looks like so when viewed with tcpdump on
my outward interface ('em1'):

21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 
27394048:27394048(0) win 16384
21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 
1793916928:1793916928(0) win 16384

      

Since you went to the trouble of obscuring the source IP, I presume that
the source IP is your IP.  So, these look like responses, i.e. outbound
traffic, not inbound, since they are sourced from your IP.  You can use
tcpdump's -e flag to be sure who is sending and who is receiving.

    



I obscured my own IP range which is the 74.nnn.nnn. one and it
is a /24.  Interestingly most of the IP's on my side are ones
where I have no host.

The reason why is that I figured that if I myself were a
semi-sophisticated cracker, I would look for targets of
opertunity on the various mailing lists where one could identify
both networks administered by newbie/part-time personel, and
often a fair amount about the configuration of said :)

The IP '125.21.176.19' is exactly as it appeared on my tcpdump.
It shows as a telcom company in India in this case...usually
it's some network company or another in China.

My network looks like so:

                                -------------  em0  <---> internal range
  Network Provider  <----> em1 | pf firewall |
  (Internap)                    -------------  bce1 <---> dmz range


I took the tcpdump output to indicate that Syn packets showing an Indian Origin 
were showing up addressed to (mainly non-existant) IP addresses within my /24 
network.

I'll look at 'tcpdump -e'.  Thanks for the hint!

  

If the syn flood comes from single IP you can just block traffic from it.

For every SYN packet you are sending SYN-ACK packet so yes the traffic 
is in both ways.

Why you do not see it on tcpdump I duno.

In all cases you want to limit the max number of states that can be 
created by a single source IP

and you want to limit the rate of new connections over a time interval.
- max-src-states
- max-src-conn-rate


Anyway if the incoming traffic "floods" your pipe this will not help, 
but at least your firewall will work properly ;)


--

Best Wishes,
Stefan Lambrev
ICQ# 24134177

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to