[EMAIL PROTECTED] wrote: > > 1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do > > not exist on the target. > > this is not a 'SYN flood'; 'SYN flood'=TCP SYN+FIN > seems like someone is continuosly using TCP SYN "half-open" > scan to get your open ports, or just sends random SYN pakets
This works really well as a denial of service for FreeBSD, since it fills up the SYN cache, forcing the use of SYN cookies. A secondary attack, after the SYN cache has been filled once to force the SYN cookie flag on, is to send ACK's, forcing the FreeBSD box to do relatively expensive cryptographic calculations on the ACK, to see if it's an ACK with a valid SYN cookie. An exhaustive search of the sequence number space after that (to discover a valid SYN cookie) can lead to people being able to open connections without the SYN/SYN-ACK. The benefit to overflowing to the point of getting a valid SYN coookie for this exploit is that you can, in that packet, include data payload. By doing that, you can basically send a data payload to a FreeBSD daemon, using a spoofed source IP address, and have it do something, which is not something you could do, without having SYN cookies. Aside from the other good advice in the previous posting, I suggest that you disable SYN cookies. Another useful thing to do is limit the number of connections per second from a given source IP address, and to limit the total number of connection "in progress" from a given IP address. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
