[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SYN attacks killing me! Please HELP!
- Subject: Re: [cobalt-security] SYN attacks killing me! Please HELP!
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 23 Jul 2002 01:25:08 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Ernesto,
> I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to
> both) with near 150 customers in it, a few weeks ago the server suddenly
> stopped responding, first once a day, but now it's a nightmare..
> sometimes it stays for days ok, then some day.. we start receiving
> SYN_RECV packets and the server dies.
SYN-Floods are pretty difficult to tackle with as you have already found out.
Although having an ipchains based firewall *on* the same server is better than
having nothing, in this case you're not getting around to set up an external
Firewall which protects your server.
For more info see:
http://www.usenix.org/events/sec01/invitedtalks/oliver.pdf
IPchains on the RaQs has its limitations due to the outdated Kernel.
Additionally, the load of the SYN-Flood still puts a burden on the server you
want to protect, especially if the Firewall and the Webserver are
hardwarewise on the same box.
So you have to get a separate Firewall up and running which you put in front
of your RaQ(s) - and you need one which can specifically deal with
SYN-Flooding.
This can be either a hardware firewall, or a Linux distribution custom
tailored for Firewall purposes. Like SmoothWall, SonicWall, OpenWall ... to
name a few.
The quick and dirty solution how I'd do it:
Hook up a PC with two network cards and install Linux on it. Any distri you
feel familliar with should do fine. Just make sure to apply all vendor
patches right away and disable all non essential services. In fact you can do
away with all network related services but SSH.
Then fetch gShield V2.8 from http://linuxmafia.org/~godot/ and install it on
the box. It's an IPtables based firewall and *very* easy to configure.
Configure it for NAT and bind all IPs from your RaQ to the Linux box and NAT
'em to the RaQ.
Benefits: Cost effective, 2.4-series Kernel, IPtables, easy to configure but
effective Firewall.
Downside: You'll need at least 2-3 hours to get it up and running and it's not
a trivial task unless you know your way around Linux. Configuring for NAT
will more or less force you to change the IPs on your RaQ(s), too, which is a
pain for 20 IPs.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer