Zang, Lan (Sander) wrote: > I'm using ipfilter4.1.10 on solaris9 (SPARC). I am wandering how > IPFilter can be used to prevent SYN flood attack. > > I use another box to sending tcp packet with SYN flag set and fake > ipaddress(x.x.x.x) at a rate of ten packets per second. > # hping y.y.y.y -S -p 23 -a x.x.x.x --fast > > And after a few minutes, ipfstat -s keep reporting there is about 2000 > or so in use in state table, while > the SYN packets keep being sent here. And there is no related syslog. > ... > I want to know if this is kind of SYN flood protection. Is there any > special configuration to this kind of situation? > What if I send SYN packet at rate of 100,000 per second? In this case, > the solaris machine can SELDOM response to > my input. >
There isn't any SYN flood protection, per se, such as SYN proxy, mainly because it has not seemed to be a real concern for anyone. Things you can do now... Use "keep state (limit 100)" to set a maximum number of state sessions for a rule... And you can also add "pps 10" to the end of rule to match at most 10 packets per second: pass in proto tcp from any to any port = 80 flags S keep state pps 10 If you would like to see something like this added, please submit it via: http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849056 Thanks, Darren
