[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] SYN flooding

Subject: Re: [cobalt-developers] SYN flooding
From: CJ Johnson <cj.johnson@xxxxxxx>
Date: Wed Mar 27 08:33:48 2002
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

    We have enabled syncookies by default since the Qube-2 and
    RaQ-2.  There is a slight increase in overhead under extreme
    load, but nothing to be concerned about.  The 250 MHz Qube-2
    under a saturated 100baseT SYN flood attack still supported
    reasonable network behavior.  The x86 line doesn't even break
    a sweat.

    Turning the cookies off is probably a bad idea.  Without them,
    a SYN flood is likely to shut down your server until the flood
    ends. (To be precise, the flood makes it very difficult to
    create new connections.)

    I tend to side with Eddy Dreger's note that blocking the IP
    address might be extreme.  Most SYN flood attackers spoof the
    source address.

    You can use tcpdump to verify the alleged source of the flood.
    If you are being hit with a spoofed attack, you should see a
    TCP RST reply to your system's SYN-ACK.  (Because the spoofed
    source didn't actually initiate the connection, it sends a
    reset, rather than continuing with data).

    You can also use tcpdump to count the SYN bytes-per-second.
    This will give you an estimate of the size of the network
    feed being used to hit you.  It will also give you an idea
    of how much it is costing (lost bandwidth == $$'s).

    Finally, I would try to back trace the packets.  Your upstream
    network ought to help if you can bypass the front line tech
    support (knowing the $$'s figure should help here).  From there
    on, you get to enter service provider support hell.  Also, if
    you verify that the source address is spoofed, the spoofee may
    be interested in helping to hunt down the spoofer.  Afterall,
    for every SYN you get and SYN-ACK you make, the spoofee gets an
    unexpected SYN-ACK on his network, and has to send a RST.

    If you are still under attack and hit a roadblock tracing the
    packets, send another note.  This is an area where friends of
    friends of friends can prove useful, and the Cobalt developer
    list is pretty well connected.

    Hope this helps,

    cj*

Follow-Ups:
- Re: [cobalt-developers] SYN flooding
  - From: E.B. Dreger

Prev by Date: Re: [cobalt-developers] Frontpage not working for one domain...
Next by Date: Re: [cobalt-developers] SYN flooding
Previous by thread: [cobalt-developers] Re: SYN flooding
Next by thread: Re: [cobalt-developers] SYN flooding

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index