Synflood causes firewall failure, even after flood stops.
-
Hey there! Been experiencing some synflooding from randomized addresses. The bandwidth used doesn't seem to be overwhelming but after just a few seconds the firewall simply stops passing any traffic, and won't start again until the hardware is restarted regardless of when the flood stops. The hardware is a Dell Poweredge R300 with intel NICs.
I think the firewall is blocking the flood, I get a spike in blocked packets as it happens. The packets per second indicated in the RRD graphs do not look excessive, but it might be reading low so I managed to get a packet capture of one of the attacks, and have attached it. It seems like once its blocked too many attempts it just shuts down.
Syn proxy made no difference either way. So I tried increasing the state table to several million (as limited by RAM). This had no effect, so then I set aggressive limits on connections per host, number of hosts, connections per second, state timeout, etc. I'll update this post if those changes end up being effective, but I think the problem is somewhere else since the firewall does seem to be blocking then failing. CPU use on the RRD graph doesn't break 50% at the time of attack.
(The packet capure linked below has been filtered of all traffic apart from the flood.)
http://lastelement21.homelinux.net:8080/capturesynflood.pcap -
Apparently synflood attacks (for traffic that's allowed to pass, rather than get blocked) are the most effective ones against firewalls, since the limit of new states per second is typically their Achilles heel.
Synproxy has other adverse effects and shouldn't be always-on.
I guess that the SMP-pf (including in upcoming FreeBSD 10) would help, as long as one has enough bandwidth to withstand the DDoS attack, but that's in the future …