Re: syn DDoS attack solution

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bgs <bgs@bgs.hu>
To: Ric Messier <kilroy@WasHere.COM>
Cc: netfilter@lists.netfilter.org
Subject: Re: syn DDoS attack solution
Date: Fri, 01 Jun 2007 17:37:06 +0200	[thread overview]
Message-ID: <46603D22.4020608@bgs.hu> (raw)
In-Reply-To: <007101c7a45d$bc50e380$34f2aa80$@COM>

Sorry if my first mail was misleading, I only slept about 5-6 hours this 
week in all :/

>> How is the handling of ESTABLISHED connections implemented in the
>> TCP/IP
>> stack?
> 
> There is likely a timer somewhere to time out connections that are just
> hanging around doing nothing. You'd have to dig around to find it and turn
> it down. You could also use something like tcpkill to get rid of them for
> you. 

What I'd like to achieve is different from the normal tcp timeouts. I 
only want a different (quite short in terms of everyday tcp traffic) 
timeout for connections that have not sent any data after the tcp 
handshake. The connections that did any traffic would become normal or 
'legitimate' and the usual tcp timeouts would apply.

About the netlink approach, here is what I was thinking about. I have 
never coded in the netlink/netfilter space so I'm completely in the dark 
if this can be done at all or not:

Client sends SYN to server. It arrives to the firewall. An info is sent 
to the userspace portion and the SYN packet is DROPed. The user space 
program logs the SYN packet and sends out an appropriately constructed 
SYN/ACK to the client. Client sends the ACK. The info is sent to util 
which logs the packet and puts the connection in allowed state as it 
knows from it's own db that the tcp handshake was ok. At this point it 
either starts the next phase or waits for the first data packet and 
starts the next phase then (allowing the data packet after it). The next 
phase is: userland replays the SYN handshake with the server thus making 
it receptive to the tcp stream to come. Through netlinks firewall part 
it would allow all subsequent traffic.

The main point is almost identical to the syn proxy thingie in bsd and 
ios, the main difference would be the ability to add some policy about 
when and how to let the traffic through to the server. For example with 
delayed replay, connections in ESTABLISHED state but without data would 
be dropped from the replay db stopping the culprit at the firewall.

Just a thought... can it be done (technically) or should I simply go to 
bed :)

Regards
Bgs

next prev parent reply	other threads:[~2007-06-01 15:37 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-31 16:19 syn DDoS attack solution Bgs
2007-05-31 19:57 ` R. DuFresne
2007-06-01  9:45   ` Bgs
2007-05-31 20:08 ` Ric Messier
2007-06-01  1:20   ` Tony.Ho
2007-06-01  9:44   ` Bgs
2007-06-01 15:01     ` Ric Messier
2007-06-01 15:37       ` Bgs [this message]
2007-06-02 19:07         ` R. DuFresne
2007-06-04 14:22           ` Ric Messier
2007-06-04 17:24           ` Martin McKeay
2007-06-04 23:16             ` R. DuFresne
2007-06-05  8:29             ` Bgs
2007-06-05 14:16               ` Steven M Campbell
2007-06-05 15:22                 ` ..prevention, was: " Arnt Karlsen
2007-06-05 15:40                   ` Steven M Campbell
2007-06-05 15:40                     ` Steven M Campbell
2007-06-05 18:34                       ` Arnt Karlsen
2007-06-07 18:41                     ` Martin McKeay
2007-06-08  1:40                       ` Arnt Karlsen
2007-06-12 18:10                       ` Martin McKeay
2007-06-12 22:44                         ` R. DuFresne
2007-06-13 14:24                           ` Martin McKeay
2007-06-13 17:26                             ` Arnt Karlsen
2007-06-13 17:44                               ` Martin McKeay
2007-06-14 19:43                                 ` R. DuFresne
2007-06-14 20:13                                   ` supportnew
2007-06-01 21:34       ` Martijn Lievaart
2007-06-01 21:37         ` Martijn Lievaart
2007-06-01 21:38         ` Ric Messier
2007-06-01 23:09         ` Ethy H. Brito
2007-06-19 18:22         ` R. DuFresne
2007-06-19 22:19           ` Robert Nichols
2007-06-19 23:02             ` Pascal Hambourg
2007-06-21 18:26             ` R. DuFresne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46603D22.4020608@bgs.hu \
    --to=bgs@bgs.hu \
    --cc=kilroy@WasHere.COM \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.