On Wed, Feb 07, 2007 at 11:56:05AM +0800, frank hu wrote:
> What is the solution?
Make it a two-step process. Use synproxy for incoming connections on the
external interface, with a larger state limit and adaptive timeouts, like
set limit states 10000
set timeout interval 1
pass in on $ext_if inet proto tcp from any to any port 80
synproxy state (max 5000, tcp.first 5,
adaptive.start 10, adaptive.end 5000)
This limits the number of states (including synproxy states that haven't
completed the handshake) to 5000. While there are less than 10 states,
a client has 5 seconds to complete the handshake, before the state is
removed. The more states there are, the more aggressive this timeout
becomes (with 2500 states, it becomes 2.5s, at 4900 states basically 1s).
Now the legitimate client will race against the DoS attack for a free
spot in the state table. The more aggressive the timeouts, the more
spots get freed per second. The larger the limit (try increasing 'max
1000'), the more spots are free at any time. This is not a guarantee
that the legitimate client will promptly get a state at any time, it's
statistics. It depends on how many connection attempts per second the
DoS delivers vs. the frequency of legitimate connection attempts.
Now that you have dealt with spoofed SYNs on the external interface, you
can use connection tracking ('max-src-states', 'max-src-conn-rate') for
outgoing connections on the internal interface (towards the real
server), and they won't include spoofed connections.
Daniel
