Page 33 - index
P. 33
start_code
accept:
load 1 r0
stop
reject:
load 0 r0
stop
rate_limit_1kpps:
channel_state p1 u64 -
test_rate_le p1 0 10pkts 10ms
jmp_if_not reject
jmp_accept
stop
end_code
Defending Against a SYN flood
A SYN flood is one of the most common Denial of Service (DoS) attacks. SYN floods made up
well over 30% of the DoS traffic over the past year, and it’s use is growing. Recently a large web
retailer was found to have had part of its cloud service compromised, and redirected as a DoS
attack platform. Fortunately for packet filtering NICs this type of assault is fairly easy to deal
with. Very few attackers respond to the ACK your server would normally generate in response
to their SYN request. If we move the creation of this ACK from the operating system to the NIC
we can free up the OS, and host CPU, thereby removing the resulting impact of this attack on
your server. Coupled with rate limiting incoming traffic, any SYN flood that would make it to your
server would no longer significantly impact it. Here is an example of a SYN filter, sans header,
that could be added to address a SYN flood assault, note the entry point is “start_filter_syn”:
start_code
accept:
load 1 r0
stop
reject:
load 0 r0
stop
start_filter_syn:
test_ip4
jmp_if_not accept
load_tcp_flags r2
test_mask_match r2 syn syn
jmp_if_not accept
jmp reject
stop
end_code
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
