From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 02:06:34 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 460F78B0 for ; Sun, 10 Feb 2013 02:06:34 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp116.dfw.emailsrvr.com (smtp116.dfw.emailsrvr.com [67.192.241.116]) by mx1.freebsd.org (Postfix) with ESMTP id 03C822B4 for ; Sun, 10 Feb 2013 02:06:33 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp21.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 4CD9A240199; Sat, 9 Feb 2013 20:57:11 -0500 (EST) X-Virus-Scanned: OK Received: by smtp21.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id E1CCE240190; Sat, 9 Feb 2013 20:57:10 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Date: Sat, 9 Feb 2013 19:57:08 -0600 To: James Howlett X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Sun, 10 Feb 2013 01:57:08 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 02:06:34 -0000 Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am= unsure of your connection I cannot recommend specifics. However, it is bes= t to configure polling, tweak sysctl (buffers/sockets/etc), install pf or i= pfw and do some straight forward deny/allow + source spoof settings. Above all, don't go overboard with firewall configuration. People often try= to do far too much tracking/packet rate limiting, etc. It just burns up fr= ee resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all = console/ssh access except to that IP. Same here, a simple host deny will sa= tisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbp= s connection with legit traffic and block most high PPS floods as long as t= hey don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certain= ly limitations even in 1Gbps cases... Though, you can't plan for everything= - the best you can do is be prepared for the majority of general UDP/ICMP/= TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm n= ot even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" wrote= : > Hi, >=20 > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network= from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as = possible. > Even if I'am not able to prevent or block a ddos I would like to get some= info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. >=20 > Any help would be great. >=20 > All best, > jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"