From owner-freebsd-isp@FreeBSD.ORG Sun Jun 29 15:07:29 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EFF337B401 for ; Sun, 29 Jun 2003 15:07:29 -0700 (PDT) Received: from zephir.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57EE143FAF for ; Sun, 29 Jun 2003 15:07:28 -0700 (PDT) (envelope-from dukemaster@shellfusion.net) Received: from dialin-131-69.hamilton.primus.ca ([209.90.131.69] helo=DS9) by zephir.primus.ca with esmtp (Exim 3.36 #3) id 19WkK4-0006Wf-0A; Sun, 29 Jun 2003 18:07:00 -0400 From: "Allan Jude - ShellFusion.net Administrator" To: "'Artyom V. Viklenko'" , Date: Sun, 29 Jun 2003 18:07:24 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <3EFDA5A2.4020707@mipk-kspu.kharkov.ua> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal cc: freebsd-isp@freebsd.org Subject: RE: Shell Provider - DDoS Attacks - IPFW Ratelimiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jun 2003 22:07:29 -0000 Using such 'limit src' firewall rules will not help you, my shell server quickly overran the maximum number of dynamic rules, even increasing the limit didn't make this plausable because there are 1000's of concurrent connections at any one time. If your traffic is small enough, it might be useful, but if you are using 10mb, or 100mb, it will easily blow your firewall away -----Original Message----- From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Artyom V. Viklenko Sent: Saturday, June 28, 2003 10:27 AM To: PsYxAkIaS (FreeBSD) Cc: freebsd-isp@freebsd.org Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting PsYxAkIaS (FreeBSD) wrote: > Hello all, > > I currently administrate a shell provider that has several problems with DDoS attacks. Most attacks are with infected botnets(I've seen even 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports and/or sometimes udp flood. Our connection is 10 mbps and we are planning to move to 100 mbps. However I am trying to find some solutions to limit the problem like cisco firewall or some special technical support from the colocation isp (Internap) because sometimes attacks are over 100 mbps like 300-350 mbps. > > -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <--- > > Anyway, In order to slow down DDoS attacks we are thinking to set ratelimit. I recompiled the kernel with DUMMYNET and I am running something like the following: > > For example, to limit 400 kbps on 212.*: > ---------------------------------------------------------- > ipfw pipe 1 config bw 400kbit/s delay 50ms > ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any > ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 > You can try to use 'limit src-addr n' in ipfw rules. n is a number of concurent connections from single ip address. It is very usefull with statefull filtering. Hope this helps in case of TCP-based attacks such as SYN-flood. _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"