>it _is_ possible to effectively squash TCP SYN flood >attacks without needing to enable something as >resource-intensive as TCP Intercept at your network >boundary. A similar effect can be gained by rate- >limiting SYN packets to a predetermined percentage of
>your line speed, and permitting them to burst to a >slightly higher rate. We also had problems with SYN Floods taking out our RaQ's. We still have one RaQ running (in house) but we've since migrated our users to the OpenNA OS (http://www.openna.com) which is running GIPTables and prevents SYN floods in the method you describe. You could load the GIPTables (http://www.giptables.org) onto any system running the 2.4 kernel and get the same result. But man oh man.... That OpenNA OS is FAST, SOLID and SECURE..!! It's still labled BETA because they're adding a install GUI, but the base OS is final and rock solid..! We've been running it for several months with notta one problem and all this SYN crap has been put to bed.. Here's a snip from the GIPTables config - GIPTables makes setting up a good firewall as easy as pie.. -------------- # Interface 0 incoming syn-flood protection INTERFACE0_IN_SYN_FLOOD_PROTECTION="yes" INTERFACE0_IN_TCP_CONN_LIMIT="5/s" INTERFACE0_IN_TCP_CONN_LIMIT_BURST="9" This means there may be only 5 concurent incoming tcp sessions per second, with a burst of 9. This means that in the first second, there might be up to 9 concurect tcp sessions, but there should pass another 2 seconds (2 sec * 5 connections = 10, 10 connections - 9 connection = 1 connection) until another 1 connection will be allowed. after another second (the third second), there will be allowed another 5 incoming tcp concurect sessions. After another 1 second (the forth second), there will be allowed another 5 incoming tcp concurect sessions, and so on. # ---------------------------------------------------- # Sanity check # SANITY_CHECK="yes" # Make sure NEW incoming tcp connections are SYN packets INTERFACE0_IN_DROP_NEW_WITHOUT_SYN="yes" # Drop all incoming fragments INTERFACE0_IN_DROP_ALL_FRAGMENTS="yes" # Drop all incoming malformed XMAS packets INTERFACE0_IN_DROP_XMAS_PACKETS="yes" # Drop all incoming malformed NULL packets INTERFACE0_IN_DROP_NULL_PACKETS="yes" __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
