Date: Sun, 5 Jan 2003 13:05:09 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: freebsd-net@freebsd.org Subject: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105124644.Q80512-100000@mail.econolodgetulsa.com>
next in thread | raw e-mail | index | archive | help
Hi.
I am running this as my firewall/router:
4.4-RELEASE FreeBSD 4.4-RELEASE #0
And I have no ability to change that anytime soon. Recently I have been
having a lot of trouble with floods/ddos/etc. When these attacks occur,
my firewall is totally unresponsive, I cannot ssh in to type a single
command (and thus cannot tcpdump anything) and clients of systems on the
inside either get no response, or get:
ssh_exchange_identification: read: Connection reset by peer
(and things like that)
--------
So far, I have only done two things to my firewall. First, I upped
NMBCLUSTERS to the point that I am now running at:
# netstat -m
650/4768/32768 mbufs in use (current/peak/max):
650 mbufs allocated to data
559/4524/8192 mbuf clusters in use (current/peak/max)
10240 Kbytes allocated to network (41% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
So therefore I can conclude that the unresponsiveness, etc., is not due to
running out of mbuf clusters.
The only other thing I did was:
sysctl -w net.inet.icmp.drop_redirect=1
I have no reason to suspect I am getting redirects, but it seemed like a
good idea to do anyway.
So that is all I have done to the firewall in terms of
protection/hardening.
-----------
So now I need to know what else I can do. All I know is that I am getting
attacks that are _not_ saturating the physical pipe, but are cutting my
network off from the rest of the world because the firewall simply refuses
to do anything - its just hung. Generally, of the 15meg pipe we have, we
have about 6-9 megs of traffic during an attack, so the pipe is _not_
saturated, but again, the firewall just hangs during it.
I am open to any suggestions. The only thing I can fine that I might do
is:
ipfw add drop tcp from any to any tcpflags syn,fin
which I am led to believe is functionally equivalent to the
TCP_DROP_SYNFIN option and sysctl. Is this ipfw rule a general protection
against syn floods ?
Also what is the downside to doing this ? I read not to do it on
webservers - this firewall runs _nothing_ but ssh, so presumably it is
sfae, but there are a LOT of servers behind this firewall that _do_ run
web servers, ircds, mail servers, etc. - will it have any effect on them ?
Will it even be useful at all since the firewall is presumably not even
the target, but rather the target is on the other side of the firewall ?
-----------
Again, and and all suggestions appreciated - even theoretical guesses as
to what kind of attack/traffic would make the firewall just hang like that
and not process any traffic, even though mbuf clusters were not maxed
out...
I am not concnetragin on the syn-fin stuff above because I think it is the
right thing, only because it is all I can come up with - so anything is
appreciate.
thanks!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105124644.Q80512-100000>