Date: Sat, 9 Feb 2013 19:57:08 -0600 From: khatfield@socllc.net To: James Howlett <jim.howlett@outlook.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD DDoS protection Message-ID: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am= unsure of your connection I cannot recommend specifics. However, it is bes= t to configure polling, tweak sysctl (buffers/sockets/etc), install pf or i= pfw and do some straight forward deny/allow + source spoof settings. Above all, don't go overboard with firewall configuration. People often try= to do far too much tracking/packet rate limiting, etc. It just burns up fr= ee resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all = console/ssh access except to that IP. Same here, a simple host deny will sa= tisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbp= s connection with legit traffic and block most high PPS floods as long as t= hey don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certain= ly limitations even in 1Gbps cases... Though, you can't plan for everything= - the best you can do is be prepared for the majority of general UDP/ICMP/= TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm n= ot even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" <jim.howlett@outlook.com> wrote= : > Hi, >=20 > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network= from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as = possible. > Even if I'am not able to prevent or block a ddos I would like to get some= info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. >=20 > Any help would be great. >=20 > All best, > jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?321927899.767139.1360461430134>