I'm using ipfilter4.1.10 on solaris9 (SPARC). I am wandering how
IPFilter can be used to prevent SYN flood attack.
I use another box to sending tcp packet with SYN flag set and fake
ipaddress(x.x.x.x) at a rate of ten packets per second.
# hping y.y.y.y -S -p 23 -a x.x.x.x --fast
And after a few minutes, ipfstat -s keep reporting there is about 2000
or so in use in state table, while
the SYN packets keep being sent here. And there is no related syslog.
# ipfstat -s
IP states added:
319001 TCP
20 UDP
653 ICMP
1321168 hits
4661712 misses
810749 maximum
0 no memory
26832 max bucket
810749 maximum
0 no memory
2035 bkts in use
2600 active
667 expired
289575 closed
State logging enabled
State table bucket statistics:
2035 in use
35.47% bucket usage
0 minimal length
5 maximal length
1.278 average length
I want to know if this is kind of SYN flood protection. Is there any
special configuration to this kind of situation?
What if I send SYN packet at rate of 100,000 per second? In this case,
the solaris machine can SELDOM response to
my input.
Regards,
Sander
PS: Here part of my ipfilter rules. And packet I captured from solaris
# ipfstat -nhioR
0 @1 block out log body level local0.info on hme0 all head 15
.......
0 @11 pass out quick proto tcp from y.y.y.y/32 to any keep state group
15
0 @2 block out log body level local0.info quick on hme0 all
......
0 @13 pass out quick on lo0 all
0 @14 block out log body level local0.info all
0 @1 block in log body level local0.info on hme0 all head 10
......
0 @17 pass in quick proto tcp from any to y.y.y.y/32 port = 23 flags
S/FSRPAU keep state group 10
......
0 @27 block in log body level local0.info quick proto tcp from any to
any group 10
0 @2 block in log body level local0.info quick on hme0 all
......
0 @11 pass in quick on lo0 all
0 @12 block in log body level local0.info all
#snoop -d hme0 host x.x.x.x
Using device /dev/hme (promiscuous mode)
y.y.y.y -> x.x.x.x TELNET R port=4335
y.y.y.y -> x.x.x.x TELNET R port=2869
y.y.y.y -> x.x.x.x TELNET R port=4151
y.y.y.y -> x.x.x.x TELNET R port=4274
x.x.x.x -> y.y.y.y TELNET C port=4366
y.y.y.y -> x.x.x.x TELNET R port=4366
y.y.y.y -> x.x.x.x TELNET R port=3415
y.y.y.y -> x.x.x.x TELNET R port=2324
y.y.y.y -> x.x.x.x TELNET R port=3906
y.y.y.y -> x.x.x.x TELNET R port=2870
y.y.y.y -> x.x.x.x TELNET R port=4336
y.y.y.y -> x.x.x.x TELNET R port=4152
y.y.y.y -> x.x.x.x TELNET R port=4275
x.x.x.x -> y.y.y.y TELNET C port=4367
y.y.y.y -> x.x.x.x TELNET R port=4367
y.y.y.y -> x.x.x.x TELNET R port=3416
y.y.y.y -> x.x.x.x TELNET R port=2325
y.y.y.y -> x.x.x.x TELNET R port=3907
y.y.y.y -> x.x.x.x TELNET R port=2871
.........
