Syn DOS: Countermeasures

I just got chance to read the Internet Protocol Journal that sent to me which you can find it here. The topic regarding "Defenses against TCP Syn Flooding Attacks" looks interesting to me, it discussed about multiple syn flooding types and the host/network based countermeasures against TCP Syn Flooding.

For the network based countermeasures, it seems to be very popular these days to shut down mass ddos attacks. Ingress filtering and inline(firewall/proxy) are preferred methods when defending against ddos attack. Since I love OpenBSD PF, I would suggest you take a look at these two links which offer you similar defending mechanisms but cost you almost nothing -

http://www.openbsd.org/faq/pf/filter.html#urpf

http://www.openbsd.org/faq/pf/filter.html#synproxy

About host based countermeasures, it introduces syn cache and syn cookies, I have never understood that much about how actually syn cache or cookies works until I have read it, however if you want to know more about it, you can download another paper which explaining the implementation of both mechanisms -

http://www.ece.cmu.edu/~adrian/731-sp05/readings/lemon-syn-cache.pdf

I checked out the sysctl of my FreeBSD box -

shell>sysctl -a | egrep 'syn(cache|cookie)'
syncache 1 8K - 1
syncache: 100, 15366, 0, 117, 3284
net.inet.tcp.syncookies: 1
net.inet.tcp.syncache.bucketlimit: 30
net.inet.tcp.syncache.cachelimit: 15359
net.inet.tcp.syncache.count: 0
net.inet.tcp.syncache.hashsize: 512
net.inet.tcp.syncache.rexmtlimit: 3

Interestingly, both are implemented in FreeBSD. Clear enough, you don't really need 999999999999 dollars to implement and build effective mechanisms to defend against DDOS, remember Open Source is always your friend.

Enjoy ;]