Spoofing

[vamos]

Hello, does someone know how to block spoofed attacks?

tcp4       0      0 91.121.79.254.80       5.224.118.199.491      SYN_RCVD
tcp4       0      0 91.121.79.254.80       46.188.252.180.42082   SYN_RCVD
tcp4       0      0 91.121.79.254.80       90.218.4.42.15064      SYN_RCVD
tcp4       0      0 91.121.79.254.80       68.114.59.148.9474     SYN_RCVD
tcp4       0      0 91.121.79.254.80       189.105.229.90.2691    SYN_RCVD
tcp4       0      0 91.121.79.254.80       4.117.202.149.34766    SYN_RCVD
tcp4       0      0 91.121.79.254.80       85.113.41.27.12836     SYN_RCVD
tcp4       0      0 91.121.79.254.80       60.179.208.2.43017     SYN_RCVD
tcp4       0      0 91.121.79.254.80       130.230.5.225.48699    SYN_RCVD
tcp4       0      0 91.121.79.254.80       37.157.170.62.47147    SYN_RCVD
tcp4       0      0 91.121.79.254.80       87.30.222.235.48497    SYN_RCVD
tcp4       0      0 91.121.79.254.80       186.225.159.9.4500     SYN_RCVD
tcp4       0      0 91.121.79.254.80       119.138.198.61.40957   SYN_RCVD
tcp4       0      0 91.121.79.254.80       32.171.59.30.15825     SYN_RCVD
tcp4       0      0 91.121.79.254.80       34.252.217.93.57285    SYN_RCVD
tcp4       0      0 91.121.79.254.80       197.247.163.139.31296  SYN_RCVD
tcp4       0      0 91.121.79.254.80       124.0.187.3.54439      SYN_RCVD
tcp4       0      0 91.121.79.254.80       26.202.205.231.49309   SYN_RCVD
tcp4       0      0 91.121.79.254.80       43.235.124.241.17400   SYN_RCVD
tcp4       0      0 91.121.79.254.80       16.245.37.247.12798    SYN_RCVD
tcp4       0      0 91.121.79.254.80       100.199.72.228.56441   SYN_RCVD
tcp4       0      0 91.121.79.254.80       119.6.56.46.47514      SYN_RCVD
tcp4       0      0 91.121.79.254.80       206.134.92.154.32556   SYN_RCVD
tcp4       0      0 91.121.79.254.80       44.147.118.245.33054   SYN_RCVD
tcp4       0      0 91.121.79.254.80       101.176.246.193.22685  SYN_RCVD
tcp4       0      0 91.121.79.254.80       80.4.48.138.44624      SYN_RCVD
tcp4       0      0 91.121.79.254.80       157.0.153.64.49502     SYN_RCVD
tcp4       0      0 91.121.79.254.80       139.116.53.119.31391   SYN_RCVD
tcp4       0      0 91.121.79.254.80       208.246.162.174.46772  SYN_RCVD
tcp4       0      0 91.121.79.254.80       241.3.38.191.26106     SYN_RCVD
tcp4       0      0 91.121.79.254.80       150.205.114.213.22034  SYN_RCVD
tcp4       0      0 91.121.79.254.80       89.136.9.148.59070     SYN_RCVD
tcp4       0      0 91.121.79.254.80       52.179.107.123.63740   SYN_RCVD
tcp4       0      0 91.121.79.254.80       86.8.39.26.54372       SYN_RCVD
tcp4       0      0 91.121.79.254.80       220.32.146.130.59926   SYN_RCVD
tcp4       0      0 91.121.79.254.80       145.245.30.143.4994    SYN_RCVD
tcp4       0      0 91.121.79.254.80       13.4.104.179.61433     SYN_RCVD
tcp4       0      0 91.121.79.254.80       29.193.254.57.25498    SYN_RCVD
tcp4       0      0 91.121.79.254.80       143.34.85.101.45984    SYN_RCVD
tcp4       0      0 91.121.79.254.80       216.66.127.154.63695   SYN_RCVD
tcp4       0      0 91.121.79.254.80       32.204.34.72.21369     SYN_RCVD
tcp4       0      0 91.121.79.254.80       198.49.60.128.44946    SYN_RCVD
tcp4       0      0 91.121.79.254.80       186.10.233.60.6205     SYN_RCVD
tcp4       0      0 91.121.79.254.80       165.85.253.93.4751     SYN_RCVD

I'm using IPFW and I really don't know how to block it, if someone knows, please help, thanks

 

[Anonymous]

ipfw got three rule options for creating anti-spoofing rules, namely verrevpath, versrcreach, and antispoof, see ipfw(8)(). Pattern matching works by verifying whether the IP address is reachable via the interface the packets came in. So a packet coming in via an external interface and claiming to have an internal address could be blocked.

However, I fear that these options are useless in your case, since all the spoofed addresses are external addresses and (at least in theory) would be reachable via the same interface they came in.

So, you have to think about other strategies:

1) Perhaps, you could restrict access to the service running on 91.121.79.254:80 to certain source IP addresses only - if this service is a public Web-Server, then this would be out of consideration, of course.

2) Perhaps, the syn-flood packets share all the same characteristics, for example the packet size, in this case, you could perhaps adopt a strategy as suggested in this post: http://forums.freebsd.org/showpost.php?p=212861&postcount=10.

 

[vamos]

Thanks for answer, how to know what size is using the IPs of attacks?

 

[Anonymous]

tcpdump(1)()

Anyway, packet size filtering is not an option either, because the payload of all SYN packets is 0, so all SYN packets, either valid or invalid, do have the same size. I forgot this detail when I sent my first response.

 

[vamos]

Thanks for your answer, maybe you have a tutorial for the best configuration of Apache? I've tried to make a better config on MPM but high latency with Apache (dedicated seems as stable).

 

[kpa]

I'm not exactly sure if this would work but I'm thinking that the source addresses used as spoofed source addresses can not be totally random but very likely to be repeated in this type of attacks. So why not use something like pf(4)'s source-track options assuming ipfw(4) has something similar? Limit the number of states creted by one source address to something sensible to a number that still does not block legitimate users.