2007/2/7, Daniel Hartmeier <[EMAIL PROTECTED]>:
On Wed, Feb 07, 2007 at 11:56:05AM +0800, frank hu wrote:
> What is the solution?
Make it a two-step process. Use synproxy for incoming connections on the
external interface, with a larger state limit and adaptive timeouts, like
set limit states 10000
set timeout interval 1
pass in on $ext_if inet proto tcp from any to any port 80
synproxy state (max 5000, tcp.first 5,
adaptive.start 10, adaptive.end 5000)
..
It depends on how many connection attempts per second the
DoS delivers vs. the frequency of legitimate connection attempts.
The DoS tool could generate 130Kpps packets and is easy to fulfill
50000 state entries by 2~3 seconds. No legitimate connection could
race win against it. see below:
# netstat -I em1 1
em1 in em1 out total in total out
packets errs packets errs colls packets errs packets errs colls
18 0 26 0 0 46 0 43 0 0
20 0 27 0 0 48 0 47 0 0
93168 0 28 0 0 93200 0 45 0 0
119518 0 28 0 0 119549 0 46 0 0
132228 0 25 0 0 132257 0 43 0 0
131612 0 20 0 0 131631 0 33 0 0
131457 0 20 0 0 131481 0 36 0 0
..
# vmstat 1
procs memory page disk traps cpu
r b w avm fre flt re pi po fr sr wd0 int sys cs us sy id
0 5 0 309228 67004 82 0 0 0 0 0 0 639 515 92 0 3 97
0 5 0 309228 67004 31 0 0 0 0 0 0 313 423 91 0 0 100
0 5 0 309228 67004 15 0 0 0 0 0 0 419 385 90 0 2 98
0 5 0 309228 67004 14 0 0 0 0 0 0 7821 383 91 1 81 18
0 5 0 309228 67004 14 0 0 0 0 0 0 8616 201 62 1 96 3
0 5 0 309228 67004 30 0 0 0 0 0 0 8398 432 77 0 97 3
0 5 0 309228 67004 14 0 0 0 0 0 0 8300 239 76 0 98 2
..
So is it possible to drop every first SYN packet and ask sender to
resend it just like spamd has done?
As such, DoS tool will never create state but legitimate connection
will do. Just some thoughts. :)
It ls worth to add some anti-DoS measure in pf now.
Regards,
Frank