Quick & temporary tuning of FreeBSD under spoofed SYN flood attack
Syn flood is purposed to take up resources on specific network segment (firewall/router) or server by filling up CPU / memory resources (by filling syn backlog, memory for session table and so on).
In FreeBSD, TCP SYN_RCVD state timer can be dropped down by limiting the nunmber of SYN+ACK retries. This is done by modifying kernel parameter:
Code:
# sysctl net.inet.tcp.syncache.rexmtlimit
net.inet.tcp.syncache.rexmtlimit: 10
This means after the first SYN+ACK packet in response to a spoofed SYN packet, TCP will send another 10 such retries, keeping the TCP Control Block in SYN_RECEIVED state as well as a session open in the firewall (unless the firewall has a very small TCP initial timeout).
By setting this value to a smaller value, at least during the attack, can make the life of the attacker a little harder.