Re: Handling of DOS attacks in NetBSD 5

[bch%methodlogic.net@localhost]

On Tue, Jan 04, 2011 at 09:36:30AM -0700, Sverre Froyen wrote:
> Hi,
> 
> In the past, I have observed DOS attacks where a client connects to port 80 
> and then leaves the connection open indefinitely. Repeating the process can 
> easily tie up all available http processes.
> 
> I recently upgraded several servers to NetBSD 5 and I now observe a slightly 
> modified behavior, presumably because of the accept_filter(9) addtion to the 
> kernel. Instead of http process starvation, I now observe between one and two 
> hundred TCP connections that are in the "ESTABLISHED" state (as reported by 
> netstat -s). Once this happens, the server denies additional HTTP requests.
> 
> Here's a small fragment of a "netstat -an" output:
> 
> tcp        0      0  x.x.x.x.80      x.x.x.x.3225     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3220     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3219     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3211     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3205     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3200     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3196     ESTABLISHED
> 
> Is there a way to terminate such a bogus connection individually? I notice 
> that "apachectl restart" leaves them open, whereas "apachectl stop" clears 
> them.

tcpdrop(8)?

> How can I adjust the number of connections that the kernel allows? What is 
> the 
> resource use per connection? I'm thinking that if I could increase the limit 
> by, say, a hundredfold, I could turn it into a nuisance rather than an 
> emergency.
> 
> Any other thoughts?
> 
> Thanks,
> Sverre

-- 
Brad Harder
Method Logic Digital Consulting
http://methodlogic.net
http://twitter.com/bcharder