NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: syn DDoS attack solution

from [Ric Messier] [Permanent Link][Original]
To: "'Bgs'" <bgs@bgs.hu>, <netfilter@lists.netfilter.org>
Subject: RE: syn DDoS attack solution
From: "Ric Messier" <kilroy@WasHere.COM>
Date: Thu, 31 May 2007 14:08:01 -0600
Cc:
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
In-reply-to: <465EF582.4070904@bgs.hu>
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization: Chaotic@Best
References: <465EF582.4070904@bgs.hu>
Sender: netfilter-bounces@lists.netfilter.org
Thread-index: Acejn4r4QDEhjrVCT0Gp2dbQtYEa9gAHu3vg 
Bgs writes:
> 
>   We recently got under a low traffic botnet DDoS attack. All attacker
> nodes opened a single tcp session (just SYN part) and then did nothing.
> This rules out rate limiting solutions and syncookie doesn't help
> either. (Thousands of attacking nodes).
> 

This is simply a SYN flood attack. It may or may not be a botnet (though
saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool
would randomize the source address anyway. 

You should try reading the following as a starting point:

http://www.securityfocus.com/infocus/1729

Your second suggestion has been implemented in the TCP/IP stack forever. The
article above gives guidance on how to tune it in a Linux implementation.

Ric
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: syn DDoS attack solution, R. DuFresne
Next by Date:  Enabling internal connections to transparently connect via external IP address, Chris Willis
Previous by Thread:  Re: syn DDoS attack solution, R. DuFresne
Next by Thread:  Re: syn DDoS attack solution, Tony.Ho
Indexes:  [Date] [Thread] [Top] [All Lists]