From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 02:06:34 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 460F78B0 for ; Sun, 10 Feb 2013 02:06:34 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp116.dfw.emailsrvr.com (smtp116.dfw.emailsrvr.com [67.192.241.116]) by mx1.freebsd.org (Postfix) with ESMTP id 03C822B4 for ; Sun, 10 Feb 2013 02:06:33 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp21.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 4CD9A240199; Sat, 9 Feb 2013 20:57:11 -0500 (EST) X-Virus-Scanned: OK Received: by smtp21.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id E1CCE240190; Sat, 9 Feb 2013 20:57:10 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Date: Sat, 9 Feb 2013 19:57:08 -0600 To: James Howlett X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Sun, 10 Feb 2013 01:57:08 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 02:06:34 -0000 Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am= unsure of your connection I cannot recommend specifics. However, it is bes= t to configure polling, tweak sysctl (buffers/sockets/etc), install pf or i= pfw and do some straight forward deny/allow + source spoof settings. Above all, don't go overboard with firewall configuration. People often try= to do far too much tracking/packet rate limiting, etc. It just burns up fr= ee resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all = console/ssh access except to that IP. Same here, a simple host deny will sa= tisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbp= s connection with legit traffic and block most high PPS floods as long as t= hey don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certain= ly limitations even in 1Gbps cases... Though, you can't plan for everything= - the best you can do is be prepared for the majority of general UDP/ICMP/= TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm n= ot even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" wrote= : > Hi, >=20 > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network= from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as = possible. > Even if I'am not able to prevent or block a ddos I would like to get some= info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. >=20 > Any help would be great. >=20 > All best, > jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 09:07:15 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8A7C4A34; Sun, 10 Feb 2013 09:07:15 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s2.snt0.hotmail.com (snt0-omc3-s2.snt0.hotmail.com [65.55.90.141]) by mx1.freebsd.org (Postfix) with ESMTP id 5E663F78; Sun, 10 Feb 2013 09:07:14 +0000 (UTC) Received: from SNT002-W126 ([65.55.90.137]) by snt0-omc3-s2.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:06:08 -0800 X-EIP: [V5O1ikLSc7w6TQ6IZAaxFsHylyZbkOS/] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:06:07 +0100 Importance: Normal In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:06:08.0392 (UTC) FILETIME=[DD2DD080:01CE076D] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:07:15 -0000 Hello=2C Kevin=2C thank You for the information. > FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I = am unsure of your connection I cannot recommend specifics. However=2C it is= best to configure polling=2C tweak sysctl (buffers/sockets/etc)=2C install= pf or ipfw and do some straight forward deny/allow + source spoof settings= . >=20 > Above all=2C don't go overboard with firewall configuration. People often= try to do far too much tracking/packet rate limiting=2C etc. It just burns= up free resources. > Let me tell You a bit about my setup. All my connections to ISP's are 1Giga= bit each. They are terminated on a my switch=2C and the router is connected to that s= witch. =20 > Deny all ICMP (drop I mean) and UDP except where specifically required. Is droping ICMP really helpful? I can limit ICMP only to my monitoring host= - that is no problem. =20 > And just do general hardening... Get yourself a static IP or VPN. Deny al= l console/ssh access except to that IP. Same here=2C a simple host deny wil= l satisfy this need. > This is already done. I also have out of band management to my router over = a different network connection. If all my ISP's fail I can still connect to= that router. =20 > The less you do with the firewall (routing/blocking/inspecting) the bette= r. >=20 > Drop drop drop =3B) >=20 > In the end=2C proper tuning with a good Intel NIC and you can saturate a = 1Gbps connection with legit traffic and block most high PPS floods as long = as they don't saturate the link. > I have the following ethernet cards in my router: device =3D '82579LM Gigabit Network Connection' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82574L Gigabit Network Connection' =20 but at this moment I use only the 82571EB model. > I have ran similar configurations in 10Gbps scenarios and there are certa= inly limitations even in 1Gbps cases... Though=2C you can't plan for everyt= hing - the best you can do is be prepared for the majority of general UDP/I= CMP/TCP SYN or service specific attacks like SSH/FTP=2C etc. > At this moment an attack on 80 port kills my network connection with the nu= mber of PPS. 200000 is reached in a second and the router can't proccess an= y new connections. > I'm actually at dinner so I apologize for the lack of further detail. I'm= not even certain this makes sense but hopefully it helps. > There is nothing to apologize for - You are most helpful. =20 > I have my configs which I can send by tomorrow if needed. (For examples) >=20 That would be great. All best=2C Jim = From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 09:16:23 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EE324F76; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id AC1D8A7; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) Received: from toasty.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id C25B29586D; Sun, 10 Feb 2013 04:16:12 -0500 (EST) References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii Message-Id: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> Content-Transfer-Encoding: quoted-printable From: Charles Sprickman Subject: Re: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 04:16:12 -0500 To: James Howlett X-Mailer: Apple Mail (2.1085) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:16:24 -0000 On Feb 10, 2013, at 4:06 AM, James Howlett wrote: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. = Since I am unsure of your connection I cannot recommend specifics. = However, it is best to configure polling, tweak sysctl = (buffers/sockets/etc), install pf or ipfw and do some straight forward = deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People = often try to do far too much tracking/packet rate limiting, etc. It just = burns up free resources. >>=20 >=20 > Let me tell You a bit about my setup. All my connections to ISP's are = 1Gigabit each. > They are terminated on a my switch, and the router is connected to = that switch. I think you'll get some better input if you address some of what Kevin = noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? When you get hit, you mentioned it's 200K pps, how much bandwidth? How = many different source IPs? I know on a "real" router, having Netflow configured and dumping info to = a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. Charles >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically = required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring = host - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. = Deny all console/ssh access except to that IP. Same here, a simple host = deny will satisfy this need. >>=20 >=20 > This is already done. I also have out of band management to my router = over a different network connection. If all my ISP's fail I can still = connect to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the = better. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate = a 1Gbps connection with legit traffic and block most high PPS floods as = long as they don't saturate the link. >>=20 >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are = certainly limitations even in 1Gbps cases... Though, you can't plan for = everything - the best you can do is be prepared for the majority of = general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. >>=20 >=20 > At this moment an attack on 80 port kills my network connection with = the number of PPS. 200000 is reached in a second and the router can't = proccess any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. = I'm not even certain this makes sense but hopefully it helps. >>=20 >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For = examples) >>=20 >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 09:43:13 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8C5B04ED; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc1-s51.snt0.hotmail.com (snt0-omc1-s51.snt0.hotmail.com [65.54.61.88]) by mx1.freebsd.org (Postfix) with ESMTP id 6251917E; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) Received: from SNT002-W138 ([65.55.90.7]) by snt0-omc1-s51.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:42:06 -0800 X-EIP: [Sdog/InZ/B1E1LQEtKt62KvX7BKIxTzM] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: Charles Sprickman Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:42:05 +0100 Importance: Normal In-Reply-To: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:42:06.0089 (UTC) FILETIME=[E3443F90:01CE0772] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:43:13 -0000 Hello=2C =20 > I think you'll get some better input if you address some of what Kevin no= ted above. What firewall (if any) is in place? What rules are currently i= n place? What tuning have you done so far? Is polling enabled? 1. I use pf on the router. 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewal= l =20 So as long as my router can proccess the traffic I'll can manage all the re= st (eg. customer firewalls=2C zoning etc) on my Juniper hardware. 3. The rules at the moment just filter SSH connections to the router.=20 4. I'm looking into enabling pooling=2C but I need to test it before it goe= s to production. >=20 > When you get hit=2C you mentioned it's 200K pps=2C how much bandwidth? H= ow many different source IPs? Hard to say at the moment=2C but it was a DDoS for sure. Multiple hosts con= necting to one single port on a single machine. =20 > I know on a "real" router=2C having Netflow configured and dumping info t= o a host for analysis is very helpful - I can at least see what's being tar= getted and ask my upstreams to null route the attacked IP at their edges. = I don't know if there's a good netflow exporter available for FreeBSD that = won't hurt more than it helps. I can collect sFlow from my switch so that should do it. What software woul= d You recomend for netflow analysis? Jim = From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 12:48:59 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 81517A96; Sun, 10 Feb 2013 12:48:59 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from angkar.epipe.com (angkar.epipe.com [IPv6:2001:470:b:566::4]) by mx1.freebsd.org (Postfix) with ESMTP id 5D07EAAA; Sun, 10 Feb 2013 12:48:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=epipe.com; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=ZZCw0EkCYWBC8Ch2iX0c+C9hiuiJWQc0EQvyu3qYhTc=; b=O7s1onXJEkSyhjCAyj1d5C4WH835IIMasO3MwmhJgnmy+3JYhzLE9hqBb2VOUG1feOaGondBL3k2RheUIexG3AGgQT5q3RxMusoE7EGbbzU57gD2AGwaaK2tG0D9/LEo+XTA5+QwWO1oUyhuGcNwPlp3CcpTnF/WvdWsUU3uWvA=; Received: by angkar.epipe.com with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1U4WL1-0002w2-7i; Sun, 10 Feb 2013 12:48:55 +0000 Message-ID: <51179708.2030206@epipe.com> Date: Sun, 10 Feb 2013 14:48:08 +0200 From: Janne Snabb MIME-Version: 1.0 To: khatfield@socllc.net Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , James Howlett X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 12:48:59 -0000 On 2013-02-10 03:57, khatfield@socllc.net wrote: > Deny all ICMP (drop I mean) and UDP except where specifically required. Please do not drop all ICMP unless you understand what you are doing. By doing that you are creating a path MTU discovery blackhole. See for example the following sites for more information: http://www.phildev.net/mss/ https://supportforums.cisco.com/docs/DOC-5839 http://www.cymru.com/Documents/icmp-messages.html http://packetlife.net/blog/2008/oct/09/disabling-unreachables-breaks-pmtud/ -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 16:41:42 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3DDD4E6F for ; Sun, 10 Feb 2013 16:41:42 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp206.dfw.emailsrvr.com (smtp206.dfw.emailsrvr.com [67.192.241.206]) by mx1.freebsd.org (Postfix) with ESMTP id E994C765 for ; Sun, 10 Feb 2013 16:41:41 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp10.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 045651B828E; Sun, 10 Feb 2013 11:36:06 -0500 (EST) X-Virus-Scanned: OK Received: by smtp10.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id AEE131B81C0; Sun, 10 Feb 2013 11:36:05 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Sun, 10 Feb 2013 10:35:57 -0600 To: James Howlett X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Sun, 10 Feb 2013 16:35:59 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 16:41:42 -0000 James, That's very helpful to know. So at this time are you doing NAT from the rou= ter or simply passing all traffic and allowing the switch to sort it out? You can google sflow for FreeBSD. There is an export tool for netflow which= I have used that exports as sflow via a bridge type conversion. Works incr= edibly well. ICMP can be blocked safely but it does need to be specific. For example you= can allow ping and disallow bogus ICMP. You can safely block, for example,= UDP port 0 which is commonly attacked. If you do not wish to make it public, it's fine. However, you can send me y= our current pf rules and I can take a look and provide some recommendations= . Additionally, it would be good to know the switch you're using. I'm guessin= g since it's sflow that it's Juniper. There are some very useful ACL's that= can be put in at the switch. However, if the BSD box is either live locking or crashing then you need to= fix that first. I would state that enabling polling can be done from the command line if it= 's already enabled in the kernel. Enabling polling in itself without tweaking it could likely increase your o= verall PPS limitations by 70%. So I recommend doing that immediately and ju= st placing it on your public facing NIC first. Thanks, Kevin On Feb 10, 2013, at 3:07 AM, "James Howlett" wrot= e: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I= am unsure of your connection I cannot recommend specifics. However, it is = best to configure polling, tweak sysctl (buffers/sockets/etc), install pf o= r ipfw and do some straight forward deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People often = try to do far too much tracking/packet rate limiting, etc. It just burns up= free resources. >=20 > Let me tell You a bit about my setup. All my connections to ISP's are 1Gi= gabit each. > They are terminated on a my switch, and the router is connected to that s= witch. >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring ho= st - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. Deny a= ll console/ssh access except to that IP. Same here, a simple host deny will= satisfy this need. >=20 > This is already done. I also have out of band management to my router ove= r a different network connection. If all my ISP's fail I can still connect = to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the bett= er. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate a 1= Gbps connection with legit traffic and block most high PPS floods as long a= s they don't saturate the link. >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are cert= ainly limitations even in 1Gbps cases... Though, you can't plan for everyth= ing - the best you can do is be prepared for the majority of general UDP/IC= MP/TCP SYN or service specific attacks like SSH/FTP, etc. >=20 > At this moment an attack on 80 port kills my network connection with the = number of PPS. 200000 is reached in a second and the router can't proccess = any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. I'= m not even certain this makes sense but hopefully it helps. >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For examples) >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 17:34:21 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F312BC4E; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s5.snt0.hotmail.com (snt0-omc3-s5.snt0.hotmail.com [65.55.90.144]) by mx1.freebsd.org (Postfix) with ESMTP id CB383968; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) Received: from SNT002-W95 ([65.55.90.136]) by snt0-omc3-s5.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 09:34:14 -0800 X-EIP: [kI5/AvGahi7Y5Ds7IuxNarUg26iO2FOJ] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 18:34:14 +0100 Importance: Normal In-Reply-To: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 17:34:14.0818 (UTC) FILETIME=[D8814020:01CE07B4] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 17:34:21 -0000 Kevin=2C > That's very helpful to know. So at this time are you doing NAT from the r= outer or simply passing all traffic and allowing the switch to sort it out? > There is no NAT on my router. The setup looks like that: ISP--switch--FreeBSD-router---switch---firewall (nat=2C etc) THe switch is basicly one device with some vlans. My outside conectivity is done by BGP=2C my internal routing is using OSPF = as an IGMP protocol. =20 > You can google sflow for FreeBSD. There is an export tool for netflow whi= ch I have used that exports as sflow via a bridge type conversion. > Works = incredibly well. Great=2C I'll look into that. Could You recomend some flow display/analysis= software?=20 =20 > ICMP can be blocked safely but it does need to be specific. For example y= ou can allow ping and disallow bogus ICMP. You can safely block=2C for exam= ple=2C UDP port 0 which is commonly attacked. > Ok. =20 > If you do not wish to make it public=2C it's fine. However=2C you can sen= d me your current pf rules and I can take a look and provide some recommend= ations. >=20 My firewall is basic and looks like that: http://pastebin.com/JJbLxHTS > Additionally=2C it would be good to know the switch you're using. I'm gue= ssing since it's sflow that it's Juniper. There are some very useful ACL's = that can be put in at the switch. I have both juniper ex2200 and cisco 2960s at hand.=20 >=20 > However=2C if the BSD box is either live locking or crashing then you nee= d to fix that first. >=20 The BSD box drops network conectivity - OSPF fails first which causes my ne= twork to go offline. The host itself is working - I can access in via iLOM. > I would state that enabling polling can be done from the command line if = it's already enabled in the kernel. >=20 > Enabling polling in itself without tweaking it could likely increase your= overall PPS limitations by 70%. So I recommend doing that immediately and = just placing it on your public facing NIC first. My ethernet cards use em driver. I can change it to igb cards in few weeks. Is it save to enable pooling on a production system? All best=2C jim = From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 21:08:28 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2F4F44DC; Sun, 10 Feb 2013 21:08:28 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id 031D42B7; Sun, 10 Feb 2013 21:08:27 +0000 (UTC) Received: from frankentosh.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id 168379586B; Sun, 10 Feb 2013 16:08:22 -0500 (EST) Subject: Re: FreeBSD DDoS protection Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Charles Sprickman In-Reply-To: Date: Sun, 10 Feb 2013 16:08:21 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> To: James Howlett X-Mailer: Apple Mail (2.1085) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 21:08:28 -0000 On Feb 10, 2013, at 4:42 AM, James Howlett wrote: > Hello, >=20 >=20 >> I think you'll get some better input if you address some of what = Kevin noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? >=20 > 1. I use pf on the router. > 2. My setup looks like this = ISP---switch---FreeBSD_router---Juniper_firewall =20 > So as long as my router can proccess the traffic I'll can manage all = the rest (eg. customer firewalls, zoning etc) on my Juniper hardware. > 3. The rules at the moment just filter SSH connections to the router.=20= > 4. I'm looking into enabling pooling, but I need to test it before it = goes to production. >=20 >=20 >>=20 >> When you get hit, you mentioned it's 200K pps, how much bandwidth? = How many different source IPs? >=20 > Hard to say at the moment, but it was a DDoS for sure. Multiple hosts = connecting to one single port on a single machine. >=20 >> I know on a "real" router, having Netflow configured and dumping info = to a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. >=20 > I can collect sFlow from my switch so that should do it. What software = would You recomend for netflow analysis? I'm not sure I can recommend it, because it's quite old, but I use = flow-tools and just query on the command line for top X destinations - = inevitably, even if the old Cisco is tanking from the load, it's able to = spit out enough info to give me an idea of what's being targetted. I'm probably going to move to nfsen/nfdump, as that seems to be the = modern solution: http://nfsen.sourceforge.net/ >=20 > Jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 16:12:05 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AAFC9AA2; Tue, 12 Feb 2013 16:12:05 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 77794ECC; Tue, 12 Feb 2013 16:12:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:Cc:To:Content-Type; bh=DB4M8N68hm9qrbM4plGJdY1jm4PtcV4rxVZGTEZlDK4=; b=ZrIg7ypo29PZSnv7e5ANTtNuox5lgK+byo8Za0bKoLjGl/fVzVe280jRbQfydPDKm4zOt0wvSaStkokRGrfZbRXPE6f+3rvo83FkkHc3MYzL7nV4Qu1xYEo5m1fx5pmL; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1U5ISS-0002Ka-Ak; Tue, 12 Feb 2013 10:11:48 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1360685502-4288-44968/5/2; Tue, 12 Feb 2013 16:11:42 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: khatfield@socllc.net, Janne Snabb Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> Date: Tue, 12 Feb 2013 10:11:42 -0600 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <51179708.2030206@epipe.com> User-Agent: Opera Mail/12.13 (FreeBSD) Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 16:12:05 -0000 On Sun, 10 Feb 2013 06:48:08 -0600, Janne Snabb wrote: > Please do not drop all ICMP unless you understand what you are doing. By > doing that you are creating a path MTU discovery blackhole. I was coming here to say the exact thing Dropping ICMP is not a security method. Please stop doing this! From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 16:54:30 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8FB5F5A3 for ; Tue, 12 Feb 2013 16:54:30 +0000 (UTC) (envelope-from norbert.aschendorff@yahoo.de) Received: from nm19.bullet.mail.ne1.yahoo.com (nm19.bullet.mail.ne1.yahoo.com [98.138.90.82]) by mx1.freebsd.org (Postfix) with ESMTP id 366AA195 for ; Tue, 12 Feb 2013 16:54:29 +0000 (UTC) Received: from [98.138.226.180] by nm19.bullet.mail.ne1.yahoo.com with NNFMP; 12 Feb 2013 16:52:16 -0000 Received: from [98.138.226.30] by tm15.bullet.mail.ne1.yahoo.com with NNFMP; 12 Feb 2013 16:52:16 -0000 Received: from [127.0.0.1] by smtp201.mail.ne1.yahoo.com with NNFMP; 12 Feb 2013 16:52:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s1024; t=1360687936; bh=N2KHZGcrCqPKTkbIYYTthVF0hUy7Ns+yhvGY29FiT9Y=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=C8yFa5Zaka7JHg4L5CQ8oBEkIcFkGxGxvuIUewl61cFMAJNFT6ynBDjshfxWieSXyOB/j4nA5aQjie50o6TeEPBnezLuhJ4RfcOc0onkArT8soHkkEFRzN39Tnq5MACEL8Yy2n8y0qGVHyzlQ+kemOgWqGxOEwqGRyxn+Jj1oTk= X-Yahoo-Newman-Id: 116015.3965.bm@smtp201.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 48_5mYsVM1m79Ip38FvMCVbS39NETdvuqhLms.qT1RzaBlc bq3KMO0HMB8FU0gb3wmB3OGAjlzvckabB3Y_42TOoDmOWQ.CGHeFj4zPFiwm jlt6pyXIHmy4oo4uxLwqF_kdYj4nwwhSnFlW66V_FkLiT.16YK6XJVMucs3O zGVE1qIE3ul2H8UwAksBJvCsZPb58YoGnkG1801ONcA3Kwxrpjf7sdmHzXXA tQZV_yBuovioJfK5OCdpNjrQeouHrYCgY5OExi.iuozecVubOQ3LUVi4qFlt e1PRfIBAWIyI1V6dh0NzPkCpe9xUXr3UWegXVXb5c38LTwejkqZF6FMC39ut ._PDROC_bm_ML.wBr1rSnFjzp5rbmNHqvIbt29YBVd46jvhlZ8abedHvXv1q R4CjE0XHxd0qioB94WaxAGw4Sw2Wk.vVt1umDEjf9QtbVlvVqySO4vcYzWBu Mzkfv93R0L2rYYB9YjODo X-Yahoo-SMTP: d20YFqmswBAWc4wd23BcX3DKFU.SSFWadKORXj_BQPQ- Received: from vostro-linux.goebo.site (norbert.aschendorff@46.5.47.79 with plain) by smtp201.mail.ne1.yahoo.com with SMTP; 12 Feb 2013 08:52:16 -0800 PST Message-ID: <511A733E.3000208@yahoo.de> Date: Tue, 12 Feb 2013 17:52:14 +0100 From: Norbert Aschendorff User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130112 Icedove/17.0.2 MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 16:54:30 -0000 In fact, it's specified in RFC1122: 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. I think it implies that the implementation should actually work. :) --Norbert From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 17:41:54 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9EFBB69D for ; Tue, 12 Feb 2013 17:41:54 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp196.dfw.emailsrvr.com (smtp196.dfw.emailsrvr.com [67.192.241.196]) by mx1.freebsd.org (Postfix) with ESMTP id 60C10633 for ; Tue, 12 Feb 2013 17:41:53 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp9.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 293433C0E72; Tue, 12 Feb 2013 12:34:35 -0500 (EST) X-Virus-Scanned: OK Received: by smtp9.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 703433C0DE4; Tue, 12 Feb 2013 12:34:26 -0500 (EST) Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <511A733E.3000208@yahoo.de> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: <511A733E.3000208@yahoo.de> Message-Id: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Tue, 12 Feb 2013 11:34:21 -0600 To: Norbert Aschendorff X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Tue, 12 Feb 2013 17:34:24 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 17:41:54 -0000 As my response stated filter ICMP except where necessary. I can state coming= from a mitigation background that there are ways to safely do it without ca= using any issues. However, yes, you can still filter ICMP and remain complia= nt with an example pf rule like: icmp_types =3D "{ echoreq, unreach }" But in real life situations under constant attacks, blocking ICMP can be a l= arge part of keeping businesses online. If everything was standard and attackers followed the packet/traffic specifi= cations then going by the standard would be no problem. That's not the case a= nd sometimes guidelines have to be situational. -Kevin On Feb 12, 2013, at 10:54 AM, "Norbert Aschendorff" wrote: > In fact, it's specified in RFC1122: >=20 >=20 > 3.2.2.6 Echo Request/Reply: RFC-792 >=20 > Every host MUST implement an ICMP Echo server function that > receives Echo Requests and sends corresponding Echo Replies. >=20 > I think it implies that the implementation should actually work. :) >=20 > --Norbert > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 17:46:39 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7DB62A18 for ; Tue, 12 Feb 2013 17:46:39 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) by mx1.freebsd.org (Postfix) with ESMTP id 188546D9 for ; Tue, 12 Feb 2013 17:46:38 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id fg15so268110wgb.25 for ; Tue, 12 Feb 2013 09:46:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=78OjtOjh8tH22/CWbkisZa3k4BhNSfMtdpm58Ky3iWg=; b=JxDA/HfzTnc0OrAhnmzoVcviWMHt4Zgk3xAbDkLKvn0VR3NI9p3U26aiZJLjfbAyFX WKP6USkcsLTOWS0PklEQ4DtllNwT6OUxjLw4nmCUn9rrwouYAvMaaVFqw38mfohRprLH cV4Hq+yDvOftGuiDPHCtlAHfXoGdRNvXW2rGip9WbyMtxcHR1Yo4eDyPJAdJbbCLVhnY jCNIyNtcFRVkZyx1/6nzJuvHy744VwYsmyglOqzzX8MCXlNNDW4wiBKHDerMn4Vbdepz 7PTAqswfTM4WFJxPKsv7wLzW0A1TSEMUu5WeWpjDlfV4Cu6PH5B62ZT5qmqabBnAEjlL Y3Aw== X-Received: by 10.180.109.82 with SMTP id hq18mr5067955wib.0.1360691191752; Tue, 12 Feb 2013 09:46:31 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id fg6sm21438081wib.10.2013.02.12.09.46.27 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Feb 2013 09:46:30 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: FreeBSD DDoS protection From: Fleuriot Damien In-Reply-To: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Tue, 12 Feb 2013 18:46:26 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <511A733E.3000208@yahoo.de> <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> To: khatfield@socllc.net X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQnDxkZRfKaDgjog6jiGN5MdiO20jexwDmOWvfU2ImaSoWo7K5S4c5BeUGgPwfGDGpVOccuf Cc: Norbert Aschendorff , "freebsd-isp@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 17:46:39 -0000 On Feb 12, 2013, at 6:34 PM, khatfield@socllc.net wrote: > As my response stated filter ICMP except where necessary. I can state = coming from a mitigation background that there are ways to safely do it = without causing any issues. However, yes, you can still filter ICMP and = remain compliant with an example pf rule like: > icmp_types =3D "{ echoreq, unreach }" >=20 breaks traceroute :( > But in real life situations under constant attacks, blocking ICMP can = be a large part of keeping businesses online. >=20 YMMV but I'd advise rate limiting instead of plain blocking. From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 19:10:57 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 889C07EC for ; Tue, 12 Feb 2013 19:10:57 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp196.dfw.emailsrvr.com (smtp196.dfw.emailsrvr.com [67.192.241.196]) by mx1.freebsd.org (Postfix) with ESMTP id 60F08B16 for ; Tue, 12 Feb 2013 19:10:56 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp9.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 4F33E3C0B15; Tue, 12 Feb 2013 14:10:56 -0500 (EST) X-Virus-Scanned: OK Received: by smtp9.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 261BC3C0BBA; Tue, 12 Feb 2013 14:10:45 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <511A733E.3000208@yahoo.de> <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> Message-Id: <943225264.98111.1360696244544@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Tue, 12 Feb 2013 13:10:42 -0600 To: Fleuriot Damien X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Tue, 12 Feb 2013 19:10:43 +0000 (UTC) Cc: Norbert Aschendorff , "freebsd-isp@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 19:10:57 -0000 It does but possibly beneficial in some scenarios. I completely agree with = keeping everything standard and not doing things that make other things eit= her unpredictable or more difficult.=20 That's why I run MX80's instead of BSD-based edge gear any longer. Again, s= imply trying to help the OP with his current equipment and basic needs to r= esolve his present issue. On Feb 12, 2013, at 11:46 AM, "Fleuriot Damien" wrote: >=20 > On Feb 12, 2013, at 6:34 PM, khatfield@socllc.net wrote: >=20 >> As my response stated filter ICMP except where necessary. I can state co= ming from a mitigation background that there are ways to safely do it witho= ut causing any issues. However, yes, you can still filter ICMP and remain c= ompliant with an example pf rule like: >> icmp_types =3D "{ echoreq, unreach }" >=20 > breaks traceroute :( >=20 >=20 >=20 >> But in real life situations under constant attacks, blocking ICMP can be= a large part of keeping businesses online. >=20 > YMMV but I'd advise rate limiting instead of plain blocking. >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 00:52:32 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0CCCBA48; Wed, 13 Feb 2013 00:52:32 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C3765E98; Wed, 13 Feb 2013 00:52:31 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2CCBE649B; Wed, 13 Feb 2013 00:52:30 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D3E35A2F2; Wed, 13 Feb 2013 01:52:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> Date: Wed, 13 Feb 2013 01:52:29 +0100 In-Reply-To: (Mark Felder's message of "Tue, 12 Feb 2013 10:11:42 -0600") Message-ID: <86zjz9f31u.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett , Janne Snabb , khatfield@socllc.net X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 00:52:32 -0000 Mark Felder writes: > Dropping ICMP is not a security method. Please stop doing this! Slight correction: dropping *all* ICMP is a bad idea. You can get by with just unreach. Add timex, echoreq and echorep for troubleshooting. For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add timex, echoreq and echorep for troubleshooting, and routersol and routeradv on networks that use SLAAC. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 07:04:44 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D6A69392 for ; Wed, 13 Feb 2013 07:04:44 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 599E5E7A for ; Wed, 13 Feb 2013 07:04:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r1D74XL0011967; Wed, 13 Feb 2013 18:04:34 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 13 Feb 2013 18:04:33 +1100 (EST) From: Ian Smith To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: FreeBSD DDoS protection In-Reply-To: <86zjz9f31u.fsf@ds4.des.no> Message-ID: <20130213175449.O71572@sola.nimnet.asn.au> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1747773286-1360739073=:71572" Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 07:04:44 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1747773286-1360739073=:71572 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote: > Mark Felder writes: > > Dropping ICMP is not a security method. Please stop doing this! > Slight correction: dropping *all* ICMP is a bad idea. You can get by > with just unreach. Add timex, echoreq and echorep for troubleshooting. rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. Are there any negative security implications to including source quench? > For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add > timex, echoreq and echorep for troubleshooting, and routersol and > routeradv on networks that use SLAAC. cheers, Ian --0-1747773286-1360739073=:71572-- From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 08:28:03 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DF869538; Wed, 13 Feb 2013 08:28:03 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7E321E; Wed, 13 Feb 2013 08:28:03 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 580E66899; Wed, 13 Feb 2013 08:28:02 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 081A4A33F; Wed, 13 Feb 2013 09:28:01 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ian Smith Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au> Date: Wed, 13 Feb 2013 09:28:00 +0100 In-Reply-To: <20130213175449.O71572@sola.nimnet.asn.au> (Ian Smith's message of "Wed, 13 Feb 2013 18:04:33 +1100 (EST)") Message-ID: <86halg4nzj.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 08:28:03 -0000 Ian Smith writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Slight correction: dropping *all* ICMP is a bad idea. You can get by= =20 > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.= =20=20 > Are there any negative security implications to including source quench? See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). TL;DR: they were a bad idea to begin with, and nobody implements them anyway. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 10:07:45 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BE027F11 for ; Wed, 13 Feb 2013 10:07:45 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 2C7D07FC for ; Wed, 13 Feb 2013 10:07:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r1DA7ebl018038; Wed, 13 Feb 2013 21:07:41 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 13 Feb 2013 21:07:40 +1100 (EST) From: Ian Smith To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: FreeBSD DDoS protection In-Reply-To: <86halg4nzj.fsf@ds4.des.no> Message-ID: <20130213210141.F71572@sola.nimnet.asn.au> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au> <86halg4nzj.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1718178538-1360750060=:71572" Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 10:07:45 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1718178538-1360750060=:71572 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote: > Ian Smith writes: > > Dag-Erling Smørgrav writes: > > > Slight correction: dropping *all* ICMP is a bad idea. You can get by > > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. > > Are there any negative security implications to including source quench? > > See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it > references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). > TL;DR: they were a bad idea to begin with, and nobody implements them > anyway. Fair enough, thanks for the refs, I'm just so out of date .. still chewing on the second and I have a nice fresh icmp-parameters.txt cheers, Ian --0-1718178538-1360750060=:71572-- From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 15:58:09 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 75B62B82; Wed, 13 Feb 2013 15:58:09 +0000 (UTC) (envelope-from xenophon@irtnog.org) Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 2684DB46; Wed, 13 Feb 2013 15:58:08 +0000 (UTC) Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1]) by mx1.irtnog.org (Postfix) with ESMTP id AF2391C886; Wed, 13 Feb 2013 10:58:07 -0500 (EST) X-Virus-Scanned: amavisd-new at irtnog.org Received: from mx1.irtnog.org ([127.0.0.1]) by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8l-YOTIqZ1C; Wed, 13 Feb 2013 10:58:05 -0500 (EST) Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP; Wed, 13 Feb 2013 10:58:05 -0500 (EST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD DDoS protection X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 13 Feb 2013 10:58:04 -0500 Message-ID: In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD DDoS protection Thread-Index: Ac4HPuiKMbrZCscsSSusNoLTgXoviACuGFlQ References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: "Matthew X. Economou" To: , X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 15:58:09 -0000 khatfield@s... Writes: >=20 > The less you do with the firewall (routing/blocking/inspecting) the > better. >=20 > Drop drop drop ;) I think this is really bad advice. A firewall should return destination-unreachable/reset packets for administratively prohibited traffic types. Drops, null routes, etc. should only be used in case of emergency like ongoing DoS attacks or for special cases like stealth firewalls.=20 --=20 I FIGHT FOR THE USERS From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 16:44:33 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4F4424F9 for ; Wed, 13 Feb 2013 16:44:33 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp206.dfw.emailsrvr.com (smtp206.dfw.emailsrvr.com [67.192.241.206]) by mx1.freebsd.org (Postfix) with ESMTP id 1E7FAF3E for ; Wed, 13 Feb 2013 16:44:32 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 98B20258217; Wed, 13 Feb 2013 11:44:26 -0500 (EST) X-Virus-Scanned: OK Received: by smtp20.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 52B982581B0; Wed, 13 Feb 2013 11:44:26 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Wed, 13 Feb 2013 10:44:23 -0600 To: "Matthew X. Economou" Thread-Topic: FreeBSD DDoS protection X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Wed, 13 Feb 2013 16:44:24 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 16:44:33 -0000 Please read the rest of the thread before criticizing. On Feb 13, 2013, at 9:58 AM, "Matthew X. Economou" wr= ote: > khatfield@s... Writes: >>=20 >> The less you do with the firewall (routing/blocking/inspecting) the >> better. >>=20 >> Drop drop drop ;) >=20 > I think this is really bad advice. A firewall should return > destination-unreachable/reset packets for administratively prohibited > traffic types. Drops, null routes, etc. should only be used in case of > emergency like ongoing DoS attacks or for special cases like stealth > firewalls.=20 >=20 > --=20 > I FIGHT FOR THE USERS >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 17:51:53 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A265667D; Wed, 13 Feb 2013 17:51:53 +0000 (UTC) (envelope-from xenophon+freebsd@irtnog.org) Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 7611334F; Wed, 13 Feb 2013 17:51:53 +0000 (UTC) Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1]) by mx1.irtnog.org (Postfix) with ESMTP id B0CB21C970; Wed, 13 Feb 2013 12:51:51 -0500 (EST) X-Virus-Scanned: amavisd-new at irtnog.org Received: from mx1.irtnog.org ([127.0.0.1]) by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7jX3-aEx_AJ; Wed, 13 Feb 2013 12:51:46 -0500 (EST) Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP; Wed, 13 Feb 2013 12:51:46 -0500 (EST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD DDoS protection X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 13 Feb 2013 12:51:44 -0500 Message-ID: In-Reply-To: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD DDoS protection Thread-Index: Ac4KCWeOCc1HOkl8RBOaRoCiIm8zagAAZPeg References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> From: "xenophon\\+freebsd" To: , X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 17:51:53 -0000 khatfield@... writes: >=20 > Please read the rest of the thread before criticizing. Let me clarify. Na=EFvely blocking ICMP isn't the only thing firewall = admins should avoid doing. I think that one should construct firewalls = in such a manner that for all prohibited classes of traffic, the = firewall should return the correct destination-unreachable messages (TCP = RST or ICMP UNREACHABLE) to the traffic source. For one, this makes the = presence of a firewall less obvious to attackers, but more importantly, = end users don't have to wait for their connections to mysteriously time = out when they do something prohibited. Black holes and null routes have = their place, such as in response to an active denial of service attack, = but not in the primary traffic control policy. --=20 I FIGHT FOR THE USERS From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 18:31:29 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8886A1F5 for ; Wed, 13 Feb 2013 18:31:29 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp206.dfw.emailsrvr.com (smtp206.dfw.emailsrvr.com [67.192.241.206]) by mx1.freebsd.org (Postfix) with ESMTP id 52DF17C0 for ; Wed, 13 Feb 2013 18:31:28 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 34D902584D8; Wed, 13 Feb 2013 13:31:28 -0500 (EST) X-Virus-Scanned: OK Received: by smtp20.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id E62D92580AC; Wed, 13 Feb 2013 13:31:27 -0500 (EST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Wed, 13 Feb 2013 12:31:24 -0600 To: "xenophon\\+freebsd" Thread-Topic: FreeBSD DDoS protection X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Wed, 13 Feb 2013 18:31:25 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 18:31:29 -0000 WWVzIGFuZCBsZXQgbWUgY2xhcmlmeS4NCg0KSWYgeW91IHJlYWQgdGhlIHJlc3Qgb2YgdGhpcyBk aXNjdXNzaW9uLCBhbGwgb3RoZXIgZW1haWxzLCB5b3Ugd291bGQgc2VlIHRoYXQgaGFzIGJlZW4g c2FpZCBhbHJlYWR5Lg0KDQoNCg0KDQpPbiBGZWIgMTMsIDIwMTMsIGF0IDExOjUyIEFNLCAieGVu b3Bob25cXCtmcmVlYnNkIiA8eGVub3Bob24rZnJlZWJzZEBpcnRub2cub3JnPiB3cm90ZToNCg0K PiBraGF0ZmllbGRALi4uIHdyaXRlczoNCj4+IA0KPj4gUGxlYXNlIHJlYWQgdGhlIHJlc3Qgb2Yg dGhlIHRocmVhZCBiZWZvcmUgY3JpdGljaXppbmcuDQo+IA0KPiBMZXQgbWUgY2xhcmlmeS4gIE5h w692ZWx5IGJsb2NraW5nIElDTVAgaXNuJ3QgdGhlIG9ubHkgdGhpbmcgZmlyZXdhbGwgYWRtaW5z IHNob3VsZCBhdm9pZCBkb2luZy4gIEkgdGhpbmsgdGhhdCBvbmUgc2hvdWxkIGNvbnN0cnVjdCBm aXJld2FsbHMgaW4gc3VjaCBhIG1hbm5lciB0aGF0IGZvciBhbGwgcHJvaGliaXRlZCBjbGFzc2Vz IG9mIHRyYWZmaWMsIHRoZSBmaXJld2FsbCBzaG91bGQgcmV0dXJuIHRoZSBjb3JyZWN0IGRlc3Rp bmF0aW9uLXVucmVhY2hhYmxlIG1lc3NhZ2VzIChUQ1AgUlNUIG9yIElDTVAgVU5SRUFDSEFCTEUp IHRvIHRoZSB0cmFmZmljIHNvdXJjZS4gIEZvciBvbmUsIHRoaXMgbWFrZXMgdGhlIHByZXNlbmNl IG9mIGEgZmlyZXdhbGwgbGVzcyBvYnZpb3VzIHRvIGF0dGFja2VycywgYnV0IG1vcmUgaW1wb3J0 YW50bHksIGVuZCB1c2VycyBkb24ndCBoYXZlIHRvIHdhaXQgZm9yIHRoZWlyIGNvbm5lY3Rpb25z IHRvIG15c3RlcmlvdXNseSB0aW1lIG91dCB3aGVuIHRoZXkgZG8gc29tZXRoaW5nIHByb2hpYml0 ZWQuICBCbGFjayBob2xlcyBhbmQgbnVsbCByb3V0ZXMgaGF2ZSB0aGVpciBwbGFjZSwgc3VjaCBh cyBpbiByZXNwb25zZSB0byBhbiBhY3RpdmUgZGVuaWFsIG9mIHNlcnZpY2UgYXR0YWNrLCBidXQg bm90IGluIHRoZSBwcmltYXJ5IHRyYWZmaWMgY29udHJvbCBwb2xpY3kuDQo+IA0KPiAtLSANCj4g SSBGSUdIVCBGT1IgVEhFIFVTRVJTDQo+IA0KPiANCj4gX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCj4gZnJlZWJzZC1pc3BAZnJlZWJzZC5vcmcgbWFpbGlu ZyBsaXN0DQo+IGh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVi c2QtaXNwDQo+IFRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLWlzcC11 bnN1YnNjcmliZUBmcmVlYnNkLm9yZyINCg== From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 18:35:25 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6A22D462 for ; Wed, 13 Feb 2013 18:35:25 +0000 (UTC) (envelope-from gehm@physik.tu-berlin.de) Received: from mail.tu-berlin.de (mail.tu-berlin.de [130.149.7.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0CA2183D for ; Wed, 13 Feb 2013 18:35:24 +0000 (UTC) X-tubIT-Incoming-IP: 130.149.58.163 Received: from mail.physik-pool.tu-berlin.de ([130.149.58.163] helo=mail.physik.tu-berlin.de) by mail.tu-berlin.de (exim-4.75/mailfrontend-2) with esmtp for id 1U5hAx-0002rE-IB; Wed, 13 Feb 2013 19:35:23 +0100 Received: from [192.168.0.102] (ip-109-91-89-92.unitymediagroup.de [109.91.89.92]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.physik.tu-berlin.de (Postfix) with ESMTPSA id 5BA1E11401 for ; Wed, 13 Feb 2013 19:35:17 +0100 (CET) Message-ID: <511BDDBF.9070903@physik.tu-berlin.de> Date: Wed, 13 Feb 2013 19:38:55 +0100 From: Ekkehard 'Ekki' Gehm User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> In-Reply-To: <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 18:35:25 -0000 Ahoi! Am 13.02.2013 19:31, schrieb khatfield@socllc.net: > Yes and let me clarify. > > If you read the rest of this discussion, all other emails, you would see that has been said already. > So true! > > > On Feb 13, 2013, at 11:52 AM, "xenophon\\+freebsd" wrote: > >> khatfield@... writes: >>> Please read the rest of the thread before criticizing. >> Let me clarify. Naïvely blocking ICMP isn't the only thing firewall admins should avoid doing. I think that one should construct firewalls in such a manner that for all prohibited classes of traffic, the firewall should return the correct destination-unreachable messages (TCP RST or ICMP UNREACHABLE) to the traffic source. For one, this makes the presence of a firewall less obvious to attackers, but more importantly, end users don't have to wait for their connections to mysteriously time out when they do something prohibited. Black holes and null routes have their place, such as in response to an active denial of service attack, but not in the primary traffic control policy. >> >> -- >> I FIGHT FOR THE USERS >> >> >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"