[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] SYN attacks killing me! Please HELP!

Subject: [cobalt-security] SYN attacks killing me! Please HELP!
From: Chad <chad_ny_01@xxxxxxxxx>
Date: Tue, 23 Jul 2002 09:14:46 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

>it _is_ possible to effectively squash TCP SYN flood 
>attacks without needing to enable something as 
>resource-intensive as TCP Intercept at your network 
>boundary. A similar effect can be gained by rate-
>limiting SYN packets to a predetermined percentage of

>your line speed, and permitting them to burst to a 
>slightly higher rate.

We also had problems with SYN Floods taking out our
RaQ's.  We still have one RaQ running (in house) but
we've since migrated our users to the OpenNA OS
(http://www.openna.com) which is running GIPTables and
prevents SYN floods in the method you describe.  You
could load the GIPTables (http://www.giptables.org)
onto any system running the 2.4 kernel and get the
same result.  But man oh man.... That OpenNA OS is
FAST, SOLID and SECURE..!!  It's still labled BETA
because they're adding a install GUI, but the base OS
is final and rock solid..!  We've been running it for
several months with notta one problem and all this SYN
crap has been put to bed..

Here's a snip from the GIPTables config - GIPTables
makes setting up a good firewall as easy as pie..

--------------
# Interface 0 incoming syn-flood protection
INTERFACE0_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE0_IN_TCP_CONN_LIMIT="5/s"
INTERFACE0_IN_TCP_CONN_LIMIT_BURST="9"

This means there may be only 5 concurent incoming tcp
sessions per second, with a burst of 9. This means
that in the first second, there might be up to 9
concurect tcp sessions, but there should pass another
2 seconds (2 sec * 5 connections = 10, 10 connections
- 9 connection = 1 connection) until another 1
connection will be allowed. after another second (the
third second), there will be allowed another 5
incoming tcp concurect sessions.  After another 1
second (the forth second), there will be allowed
another 5 incoming tcp concurect sessions, and so on.

# ----------------------------------------------------
# Sanity check
#

    SANITY_CHECK="yes"

# Make sure NEW incoming tcp connections are SYN
packets

    INTERFACE0_IN_DROP_NEW_WITHOUT_SYN="yes"

# Drop all incoming fragments

    INTERFACE0_IN_DROP_ALL_FRAGMENTS="yes"

# Drop all incoming malformed XMAS packets

    INTERFACE0_IN_DROP_XMAS_PACKETS="yes"

# Drop all incoming malformed NULL packets

    INTERFACE0_IN_DROP_NULL_PACKETS="yes"


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Prev by Date: Re: [cobalt-security] PHP - Panicking for nothing?
Next by Date: [cobalt-security] OpenSSH 3.4p1 for MIPS released on PkgMaster.com
Previous by thread: RE: [cobalt-security] SYN attacks killing me! Please HELP!
Next by thread: [cobalt-security] PHP - Panicking for nothing?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index