> The other day my machine was attacked with, what i believe is, a SYN
> flood. tcpdump gave me this output (1.1.1.1 is me and 2.2.2.2 is him)
>
> 20:57:05.828276 2.2.2.2.4064 > 1.1.1.1.33948: S
> 1409055765:14090557
> 65(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.836343 2.2.2.2.4065 > 1.1.1.1.14060: S
> 1409337177:14093371
> 77(0) win 32120 <mss 1460,sackOK,timestamp 2513879 0,nop,wscale 0> (DF)
> 20:57:05.877668 2.2.2.2.4066 > 1.1.1.1.24418: S
> 1402287967:14022879
> 67(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> 20:57:05.878095 2.2.2.2.4067 > 1.1.1.1.63768: S
> 1395991751:13959917
> 51(0) win 32120 <mss 1460,sackOK,timestamp 2513881 0,nop,wscale 0> (DF)
> ...
>
> Anyways, this attack lasted for about 40 minutes and I had a firewall
> ('ipfw show' said the packets were being denied). After about 30 minutes
> my system began swapping. I looked around and found ppp (what i used to
> connect with via tun0) was now taking up 47MB of RAM and was still
> growing. The attack didnt really effect the system load until it started
> swapping.. and then it was minimal.
>
> So my question is.. Is this a problem with my firewall rules or a problem
> in ppp? (I run ppp with -alias) I was always under the impression that if
> you deny the SYN's where you can (or where they shouldnt be) then they
> cant cause a problem. I guess this is wrong.
I don't know of any memory leaks in ppp, but that doesn't mean much
:-]
You could try staging the event again and doing a ppp ``show mem'' to
see how much memory ppp things it has.....
> My system:
> CPU: pII 266
> RAM: 64MB
> SWAP: 115MB
> OS: FreeBSD-current 4.0 (Oct 20, 1999)
>
> FreeBSD fan
> Mike
--
Brian <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<http://www.Awfulhak.org> <[EMAIL PROTECTED]>
Don't _EVER_ lose your sense of humour ! <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
