[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SYN attacks killing me! Please HELP!

Subject: Re: [cobalt-security] SYN attacks killing me! Please HELP!
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2002 01:25:08 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Ernesto,

> I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to
> both) with near 150 customers in it, a few weeks ago the server suddenly
> stopped responding, first once a day, but now it's a nightmare..
> sometimes it stays for days ok, then some day.. we start receiving
> SYN_RECV packets and the server dies.

SYN-Floods are pretty difficult to tackle with as you have already found out. 

Although having an ipchains based firewall *on* the same server is better than 
having nothing, in this case you're not getting around to set up an external 
Firewall which protects your server.

For more info see:

http://www.usenix.org/events/sec01/invitedtalks/oliver.pdf

IPchains on the RaQs has its limitations due to the outdated Kernel. 
Additionally, the load of the SYN-Flood still puts a burden on the server you 
want to protect, especially if the Firewall and the Webserver are 
hardwarewise on the same box.

So you have to get a separate Firewall up and running which you put in front 
of your RaQ(s) - and you need one which can specifically deal with 
SYN-Flooding.

This can be either a hardware firewall, or a Linux distribution custom 
tailored for Firewall purposes. Like SmoothWall, SonicWall, OpenWall ... to 
name a few.

The quick and dirty solution how I'd do it:

Hook up a PC with two network cards and install Linux on it. Any distri you 
feel familliar with should do fine. Just make sure to apply all vendor 
patches right away and disable all non essential services. In fact you can do 
away with all network related services but SSH.

Then fetch gShield V2.8 from http://linuxmafia.org/~godot/ and install it on 
the box. It's an IPtables based firewall and *very* easy to configure.

Configure it for NAT and bind all IPs from your RaQ to the Linux box and NAT 
'em to the RaQ. 

Benefits: Cost effective, 2.4-series Kernel, IPtables, easy to configure but 
effective Firewall. 

Downside: You'll need at least 2-3 hours to get it up and running and it's not 
a trivial task unless you know your way around Linux. Configuring for NAT 
will more or less force you to change the IPs on your RaQ(s), too, which is a 
pain for 20 IPs.


-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- [cobalt-security] SYN attacks killing me! Please HELP!
  - From: Ing. Ernesto Pérez Estévez

Prev by Date: Re: [cobalt-security] SYN attacks killing me! Please HELP!
Next by Date: Re: [cobalt-security] SYN attacks killing me! Please HELP!
Previous by thread: AW: [cobalt-security] SYN attacks killing me! Please HELP!
Next by thread: Re: [cobalt-security] SYN attacks killing me! Please HELP!

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index