Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
Register
FAQ
It is currently Sun Dec 10, 2023 6:34 am

ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP ‹ Quick & temporary tuning of FreeBSD under spoofed SYN flood attack

Post a reply

Quick & temporary tuning of FreeBSD under spoofed SYN flood attack

« Previous topic | Next topic »
Author Message
admin
Post  Post subject: Quick & temporary tuning of FreeBSD under spoofed SYN flood attack  |  Posted: Tue Jan 22, 2013 9:31 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Offline
 

Quick & temporary tuning of FreeBSD under spoofed SYN flood attack

Syn flood is purposed to take up resources on specific network segment (firewall/router) or server by filling up CPU / memory resources (by filling syn backlog, memory for session table and so on).

In FreeBSD, TCP SYN_RCVD state timer can be dropped down by limiting the nunmber of SYN+ACK retries. This is done by modifying kernel parameter:

Code:
# sysctl net.inet.tcp.syncache.rexmtlimit
net.inet.tcp.syncache.rexmtlimit: 10


This means after the first SYN+ACK packet in response to a spoofed SYN packet, TCP will send another 10 such retries, keeping the TCP Control Block in SYN_RECEIVED state as well as a session open in the firewall (unless the firewall has a very small TCP initial timeout).

By setting this value to a smaller value, at least during the attack, can make the life of the attacker a little harder.





Top
admin
Post  Post subject: Re: Quick & temporary tuning of FreeBSD under spoofed SYN flood attack  |  Posted: Tue Jan 22, 2013 9:43 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Offline
For Linux, this is controled with:
Code:
# sysctl net.ipv4.tcp_synack_retries
net.ipv4.tcp_synack_retries = 5
Top
Display posts from previous:  Sort by  
 E-mail friendPrint view
Post a reply
Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP
Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO