From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 02:06:34 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 49C9F8B1 for ; Sun, 10 Feb 2013 02:06:34 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp117.dfw.emailsrvr.com (smtp117.dfw.emailsrvr.com [67.192.241.117]) by mx1.freebsd.org (Postfix) with ESMTP id 03D242B5 for ; Sun, 10 Feb 2013 02:06:33 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp21.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 4CD9A240199; Sat, 9 Feb 2013 20:57:11 -0500 (EST) X-Virus-Scanned: OK Received: by smtp21.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id E1CCE240190; Sat, 9 Feb 2013 20:57:10 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Date: Sat, 9 Feb 2013 19:57:08 -0600 To: James Howlett X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Sun, 10 Feb 2013 01:57:08 +0000 (UTC) X-Mailman-Approved-At: Sun, 10 Feb 2013 03:29:11 +0000 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 02:06:34 -0000 Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am= unsure of your connection I cannot recommend specifics. However, it is bes= t to configure polling, tweak sysctl (buffers/sockets/etc), install pf or i= pfw and do some straight forward deny/allow + source spoof settings. Above all, don't go overboard with firewall configuration. People often try= to do far too much tracking/packet rate limiting, etc. It just burns up fr= ee resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all = console/ssh access except to that IP. Same here, a simple host deny will sa= tisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbp= s connection with legit traffic and block most high PPS floods as long as t= hey don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certain= ly limitations even in 1Gbps cases... Though, you can't plan for everything= - the best you can do is be prepared for the majority of general UDP/ICMP/= TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm n= ot even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" wrote= : > Hi, >=20 > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network= from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as = possible. > Even if I'am not able to prevent or block a ddos I would like to get some= info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. >=20 > Any help would be great. >=20 > All best, > jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:07:15 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8A7C4A34; Sun, 10 Feb 2013 09:07:15 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s2.snt0.hotmail.com (snt0-omc3-s2.snt0.hotmail.com [65.55.90.141]) by mx1.freebsd.org (Postfix) with ESMTP id 5E663F78; Sun, 10 Feb 2013 09:07:14 +0000 (UTC) Received: from SNT002-W126 ([65.55.90.137]) by snt0-omc3-s2.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:06:08 -0800 X-EIP: [V5O1ikLSc7w6TQ6IZAaxFsHylyZbkOS/] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:06:07 +0100 Importance: Normal In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:06:08.0392 (UTC) FILETIME=[DD2DD080:01CE076D] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:07:15 -0000 Hello=2C Kevin=2C thank You for the information. > FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I = am unsure of your connection I cannot recommend specifics. However=2C it is= best to configure polling=2C tweak sysctl (buffers/sockets/etc)=2C install= pf or ipfw and do some straight forward deny/allow + source spoof settings= . >=20 > Above all=2C don't go overboard with firewall configuration. People often= try to do far too much tracking/packet rate limiting=2C etc. It just burns= up free resources. > Let me tell You a bit about my setup. All my connections to ISP's are 1Giga= bit each. They are terminated on a my switch=2C and the router is connected to that s= witch. =20 > Deny all ICMP (drop I mean) and UDP except where specifically required. Is droping ICMP really helpful? I can limit ICMP only to my monitoring host= - that is no problem. =20 > And just do general hardening... Get yourself a static IP or VPN. Deny al= l console/ssh access except to that IP. Same here=2C a simple host deny wil= l satisfy this need. > This is already done. I also have out of band management to my router over = a different network connection. If all my ISP's fail I can still connect to= that router. =20 > The less you do with the firewall (routing/blocking/inspecting) the bette= r. >=20 > Drop drop drop =3B) >=20 > In the end=2C proper tuning with a good Intel NIC and you can saturate a = 1Gbps connection with legit traffic and block most high PPS floods as long = as they don't saturate the link. > I have the following ethernet cards in my router: device =3D '82579LM Gigabit Network Connection' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82574L Gigabit Network Connection' =20 but at this moment I use only the 82571EB model. > I have ran similar configurations in 10Gbps scenarios and there are certa= inly limitations even in 1Gbps cases... Though=2C you can't plan for everyt= hing - the best you can do is be prepared for the majority of general UDP/I= CMP/TCP SYN or service specific attacks like SSH/FTP=2C etc. > At this moment an attack on 80 port kills my network connection with the nu= mber of PPS. 200000 is reached in a second and the router can't proccess an= y new connections. > I'm actually at dinner so I apologize for the lack of further detail. I'm= not even certain this makes sense but hopefully it helps. > There is nothing to apologize for - You are most helpful. =20 > I have my configs which I can send by tomorrow if needed. (For examples) >=20 That would be great. All best=2C Jim = From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:43:13 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8C5B04ED; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc1-s51.snt0.hotmail.com (snt0-omc1-s51.snt0.hotmail.com [65.54.61.88]) by mx1.freebsd.org (Postfix) with ESMTP id 6251917E; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) Received: from SNT002-W138 ([65.55.90.7]) by snt0-omc1-s51.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:42:06 -0800 X-EIP: [Sdog/InZ/B1E1LQEtKt62KvX7BKIxTzM] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: Charles Sprickman Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:42:05 +0100 Importance: Normal In-Reply-To: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:42:06.0089 (UTC) FILETIME=[E3443F90:01CE0772] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:43:13 -0000 Hello=2C =20 > I think you'll get some better input if you address some of what Kevin no= ted above. What firewall (if any) is in place? What rules are currently i= n place? What tuning have you done so far? Is polling enabled? 1. I use pf on the router. 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewal= l =20 So as long as my router can proccess the traffic I'll can manage all the re= st (eg. customer firewalls=2C zoning etc) on my Juniper hardware. 3. The rules at the moment just filter SSH connections to the router.=20 4. I'm looking into enabling pooling=2C but I need to test it before it goe= s to production. >=20 > When you get hit=2C you mentioned it's 200K pps=2C how much bandwidth? H= ow many different source IPs? Hard to say at the moment=2C but it was a DDoS for sure. Multiple hosts con= necting to one single port on a single machine. =20 > I know on a "real" router=2C having Netflow configured and dumping info t= o a host for analysis is very helpful - I can at least see what's being tar= getted and ask my upstreams to null route the attacked IP at their edges. = I don't know if there's a good netflow exporter available for FreeBSD that = won't hurt more than it helps. I can collect sFlow from my switch so that should do it. What software woul= d You recomend for netflow analysis? Jim = From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:16:23 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EE324F76; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id AC1D8A7; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) Received: from toasty.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id C25B29586D; Sun, 10 Feb 2013 04:16:12 -0500 (EST) References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii Message-Id: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> Content-Transfer-Encoding: quoted-printable From: Charles Sprickman Subject: Re: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 04:16:12 -0500 To: James Howlett X-Mailer: Apple Mail (2.1085) X-Mailman-Approved-At: Sun, 10 Feb 2013 12:19:28 +0000 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:16:24 -0000 On Feb 10, 2013, at 4:06 AM, James Howlett wrote: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. = Since I am unsure of your connection I cannot recommend specifics. = However, it is best to configure polling, tweak sysctl = (buffers/sockets/etc), install pf or ipfw and do some straight forward = deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People = often try to do far too much tracking/packet rate limiting, etc. It just = burns up free resources. >>=20 >=20 > Let me tell You a bit about my setup. All my connections to ISP's are = 1Gigabit each. > They are terminated on a my switch, and the router is connected to = that switch. I think you'll get some better input if you address some of what Kevin = noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? When you get hit, you mentioned it's 200K pps, how much bandwidth? How = many different source IPs? I know on a "real" router, having Netflow configured and dumping info to = a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. Charles >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically = required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring = host - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. = Deny all console/ssh access except to that IP. Same here, a simple host = deny will satisfy this need. >>=20 >=20 > This is already done. I also have out of band management to my router = over a different network connection. If all my ISP's fail I can still = connect to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the = better. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate = a 1Gbps connection with legit traffic and block most high PPS floods as = long as they don't saturate the link. >>=20 >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are = certainly limitations even in 1Gbps cases... Though, you can't plan for = everything - the best you can do is be prepared for the majority of = general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. >>=20 >=20 > At this moment an attack on 80 port kills my network connection with = the number of PPS. 200000 is reached in a second and the router can't = proccess any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. = I'm not even certain this makes sense but hopefully it helps. >>=20 >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For = examples) >>=20 >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 12:48:59 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 81517A96; Sun, 10 Feb 2013 12:48:59 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from angkar.epipe.com (angkar.epipe.com [IPv6:2001:470:b:566::4]) by mx1.freebsd.org (Postfix) with ESMTP id 5D07EAAA; Sun, 10 Feb 2013 12:48:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=epipe.com; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=ZZCw0EkCYWBC8Ch2iX0c+C9hiuiJWQc0EQvyu3qYhTc=; b=O7s1onXJEkSyhjCAyj1d5C4WH835IIMasO3MwmhJgnmy+3JYhzLE9hqBb2VOUG1feOaGondBL3k2RheUIexG3AGgQT5q3RxMusoE7EGbbzU57gD2AGwaaK2tG0D9/LEo+XTA5+QwWO1oUyhuGcNwPlp3CcpTnF/WvdWsUU3uWvA=; Received: by angkar.epipe.com with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1U4WL1-0002w2-7i; Sun, 10 Feb 2013 12:48:55 +0000 Message-ID: <51179708.2030206@epipe.com> Date: Sun, 10 Feb 2013 14:48:08 +0200 From: Janne Snabb MIME-Version: 1.0 To: khatfield@socllc.net Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , James Howlett X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 12:48:59 -0000 On 2013-02-10 03:57, khatfield@socllc.net wrote: > Deny all ICMP (drop I mean) and UDP except where specifically required. Please do not drop all ICMP unless you understand what you are doing. By doing that you are creating a path MTU discovery blackhole. See for example the following sites for more information: http://www.phildev.net/mss/ https://supportforums.cisco.com/docs/DOC-5839 http://www.cymru.com/Documents/icmp-messages.html http://packetlife.net/blog/2008/oct/09/disabling-unreachables-breaks-pmtud/ -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 16:41:42 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3E4D5E70 for ; Sun, 10 Feb 2013 16:41:42 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp207.dfw.emailsrvr.com (smtp207.dfw.emailsrvr.com [67.192.241.207]) by mx1.freebsd.org (Postfix) with ESMTP id EB117766 for ; Sun, 10 Feb 2013 16:41:41 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp10.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 045651B828E; Sun, 10 Feb 2013 11:36:06 -0500 (EST) X-Virus-Scanned: OK Received: by smtp10.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id AEE131B81C0; Sun, 10 Feb 2013 11:36:05 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Sun, 10 Feb 2013 10:35:57 -0600 To: James Howlett X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Sun, 10 Feb 2013 16:35:59 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 16:41:42 -0000 James, That's very helpful to know. So at this time are you doing NAT from the rou= ter or simply passing all traffic and allowing the switch to sort it out? You can google sflow for FreeBSD. There is an export tool for netflow which= I have used that exports as sflow via a bridge type conversion. Works incr= edibly well. ICMP can be blocked safely but it does need to be specific. For example you= can allow ping and disallow bogus ICMP. You can safely block, for example,= UDP port 0 which is commonly attacked. If you do not wish to make it public, it's fine. However, you can send me y= our current pf rules and I can take a look and provide some recommendations= . Additionally, it would be good to know the switch you're using. I'm guessin= g since it's sflow that it's Juniper. There are some very useful ACL's that= can be put in at the switch. However, if the BSD box is either live locking or crashing then you need to= fix that first. I would state that enabling polling can be done from the command line if it= 's already enabled in the kernel. Enabling polling in itself without tweaking it could likely increase your o= verall PPS limitations by 70%. So I recommend doing that immediately and ju= st placing it on your public facing NIC first. Thanks, Kevin On Feb 10, 2013, at 3:07 AM, "James Howlett" wrot= e: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I= am unsure of your connection I cannot recommend specifics. However, it is = best to configure polling, tweak sysctl (buffers/sockets/etc), install pf o= r ipfw and do some straight forward deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People often = try to do far too much tracking/packet rate limiting, etc. It just burns up= free resources. >=20 > Let me tell You a bit about my setup. All my connections to ISP's are 1Gi= gabit each. > They are terminated on a my switch, and the router is connected to that s= witch. >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring ho= st - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. Deny a= ll console/ssh access except to that IP. Same here, a simple host deny will= satisfy this need. >=20 > This is already done. I also have out of band management to my router ove= r a different network connection. If all my ISP's fail I can still connect = to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the bett= er. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate a 1= Gbps connection with legit traffic and block most high PPS floods as long a= s they don't saturate the link. >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are cert= ainly limitations even in 1Gbps cases... Though, you can't plan for everyth= ing - the best you can do is be prepared for the majority of general UDP/IC= MP/TCP SYN or service specific attacks like SSH/FTP, etc. >=20 > At this moment an attack on 80 port kills my network connection with the = number of PPS. 200000 is reached in a second and the router can't proccess = any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. I'= m not even certain this makes sense but hopefully it helps. >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For examples) >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 17:34:21 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F312BC4E; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s5.snt0.hotmail.com (snt0-omc3-s5.snt0.hotmail.com [65.55.90.144]) by mx1.freebsd.org (Postfix) with ESMTP id CB383968; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) Received: from SNT002-W95 ([65.55.90.136]) by snt0-omc3-s5.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 09:34:14 -0800 X-EIP: [kI5/AvGahi7Y5Ds7IuxNarUg26iO2FOJ] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 18:34:14 +0100 Importance: Normal In-Reply-To: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 17:34:14.0818 (UTC) FILETIME=[D8814020:01CE07B4] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 17:34:21 -0000 Kevin=2C > That's very helpful to know. So at this time are you doing NAT from the r= outer or simply passing all traffic and allowing the switch to sort it out? > There is no NAT on my router. The setup looks like that: ISP--switch--FreeBSD-router---switch---firewall (nat=2C etc) THe switch is basicly one device with some vlans. My outside conectivity is done by BGP=2C my internal routing is using OSPF = as an IGMP protocol. =20 > You can google sflow for FreeBSD. There is an export tool for netflow whi= ch I have used that exports as sflow via a bridge type conversion. > Works = incredibly well. Great=2C I'll look into that. Could You recomend some flow display/analysis= software?=20 =20 > ICMP can be blocked safely but it does need to be specific. For example y= ou can allow ping and disallow bogus ICMP. You can safely block=2C for exam= ple=2C UDP port 0 which is commonly attacked. > Ok. =20 > If you do not wish to make it public=2C it's fine. However=2C you can sen= d me your current pf rules and I can take a look and provide some recommend= ations. >=20 My firewall is basic and looks like that: http://pastebin.com/JJbLxHTS > Additionally=2C it would be good to know the switch you're using. I'm gue= ssing since it's sflow that it's Juniper. There are some very useful ACL's = that can be put in at the switch. I have both juniper ex2200 and cisco 2960s at hand.=20 >=20 > However=2C if the BSD box is either live locking or crashing then you nee= d to fix that first. >=20 The BSD box drops network conectivity - OSPF fails first which causes my ne= twork to go offline. The host itself is working - I can access in via iLOM. > I would state that enabling polling can be done from the command line if = it's already enabled in the kernel. >=20 > Enabling polling in itself without tweaking it could likely increase your= overall PPS limitations by 70%. So I recommend doing that immediately and = just placing it on your public facing NIC first. My ethernet cards use em driver. I can change it to igb cards in few weeks. Is it save to enable pooling on a production system? All best=2C jim = From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 19:57:18 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 83FCE34F for ; Sun, 10 Feb 2013 19:57:18 +0000 (UTC) (envelope-from cboyd@gizmopartners.com) Received: from mailsafe.midasnetworks.com (mailsafe.midasnetworks.com [208.81.240.84]) by mx1.freebsd.org (Postfix) with ESMTP id 3E133F3C for ; Sun, 10 Feb 2013 19:57:17 +0000 (UTC) Received: from [192.168.12.103] (cpe-70-113-21-2.austin.res.rr.com [70.113.21.2]) (authenticated bits=0) by mailsafe.midasnetworks.com (8.14.3/8.14.3) with ESMTP id r1AJijvd023311 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for ; Sun, 10 Feb 2013 13:44:50 -0600 (CST) (envelope-from cboyd@gizmopartners.com) Message-ID: <1360525485.9680.9.camel@hounddog> Subject: Re: FreeBSD DDoS protection From: Chris Boyd To: freebsd-security@freebsd.org Date: Sun, 10 Feb 2013 13:44:45 -0600 In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Organization: Wha? Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 19:57:18 -0000 On Sat, 2013-02-09 at 19:57 -0600, khatfield@socllc.net wrote: > > Deny all ICMP (drop I mean) Please DON'T do this. ICMP is a required part of the TCP/IP suite. It breaks Path MTU discovery, leading to oddball issues where some sites can't load graphics, some file transfers break, etc. It makes troubleshooting using traceroute not work. If you don't want to get pinged, then drop echo request/reply. But those are really pretty harmless. --Chris From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 21:08:28 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2F4F44DC; Sun, 10 Feb 2013 21:08:28 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id 031D42B7; Sun, 10 Feb 2013 21:08:27 +0000 (UTC) Received: from frankentosh.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id 168379586B; Sun, 10 Feb 2013 16:08:22 -0500 (EST) Subject: Re: FreeBSD DDoS protection Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Charles Sprickman In-Reply-To: Date: Sun, 10 Feb 2013 16:08:21 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> To: James Howlett X-Mailer: Apple Mail (2.1085) X-Mailman-Approved-At: Sun, 10 Feb 2013 21:18:50 +0000 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 21:08:28 -0000 On Feb 10, 2013, at 4:42 AM, James Howlett wrote: > Hello, >=20 >=20 >> I think you'll get some better input if you address some of what = Kevin noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? >=20 > 1. I use pf on the router. > 2. My setup looks like this = ISP---switch---FreeBSD_router---Juniper_firewall =20 > So as long as my router can proccess the traffic I'll can manage all = the rest (eg. customer firewalls, zoning etc) on my Juniper hardware. > 3. The rules at the moment just filter SSH connections to the router.=20= > 4. I'm looking into enabling pooling, but I need to test it before it = goes to production. >=20 >=20 >>=20 >> When you get hit, you mentioned it's 200K pps, how much bandwidth? = How many different source IPs? >=20 > Hard to say at the moment, but it was a DDoS for sure. Multiple hosts = connecting to one single port on a single machine. >=20 >> I know on a "real" router, having Netflow configured and dumping info = to a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. >=20 > I can collect sFlow from my switch so that should do it. What software = would You recomend for netflow analysis? I'm not sure I can recommend it, because it's quite old, but I use = flow-tools and just query on the command line for top X destinations - = inevitably, even if the old Cisco is tanking from the load, it's able to = spit out enough info to give me an idea of what's being targetted. I'm probably going to move to nfsen/nfdump, as that seems to be the = modern solution: http://nfsen.sourceforge.net/ >=20 > Jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Feb 11 19:57:37 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F0AA430F for ; Mon, 11 Feb 2013 19:57:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id B4220A6C for ; Mon, 11 Feb 2013 19:57:37 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r1BJvP7W050114; Mon, 11 Feb 2013 14:57:25 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <51194D29.50402@sentex.net> Date: Mon, 11 Feb 2013 14:57:29 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: d@delphij.net Subject: Re: new OpenSSL security issues References: <5113AD0F.7080909@sentex.net> <5113F179.4070503@delphij.net> In-Reply-To: <5113F179.4070503@delphij.net> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: "freebsd-security@freebsd.org" , Xin Li X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Feb 2013 19:57:38 -0000 On 2/7/2013 1:24 PM, Xin Li wrote: > > Note that it seems that the new OpenSSL version have introduced a > regression, by the way: > > http://www.mail-archive.com/openssl-dev@openssl.org/msg32009.html Hi Xin, Looks like a new version just got released today that supposedly fixes this regression issue. http://www.openssl.org/source/exp/CHANGES ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue Feb 12 16:12:05 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AAFC9AA2; Tue, 12 Feb 2013 16:12:05 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 77794ECC; Tue, 12 Feb 2013 16:12:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:Cc:To:Content-Type; bh=DB4M8N68hm9qrbM4plGJdY1jm4PtcV4rxVZGTEZlDK4=; b=ZrIg7ypo29PZSnv7e5ANTtNuox5lgK+byo8Za0bKoLjGl/fVzVe280jRbQfydPDKm4zOt0wvSaStkokRGrfZbRXPE6f+3rvo83FkkHc3MYzL7nV4Qu1xYEo5m1fx5pmL; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1U5ISS-0002Ka-Ak; Tue, 12 Feb 2013 10:11:48 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1360685502-4288-44968/5/2; Tue, 12 Feb 2013 16:11:42 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: khatfield@socllc.net, Janne Snabb Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> Date: Tue, 12 Feb 2013 10:11:42 -0600 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <51179708.2030206@epipe.com> User-Agent: Opera Mail/12.13 (FreeBSD) Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 16:12:05 -0000 On Sun, 10 Feb 2013 06:48:08 -0600, Janne Snabb wrote: > Please do not drop all ICMP unless you understand what you are doing. By > doing that you are creating a path MTU discovery blackhole. I was coming here to say the exact thing Dropping ICMP is not a security method. Please stop doing this! From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 00:52:32 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0CCCBA48; Wed, 13 Feb 2013 00:52:32 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C3765E98; Wed, 13 Feb 2013 00:52:31 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2CCBE649B; Wed, 13 Feb 2013 00:52:30 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D3E35A2F2; Wed, 13 Feb 2013 01:52:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> Date: Wed, 13 Feb 2013 01:52:29 +0100 In-Reply-To: (Mark Felder's message of "Tue, 12 Feb 2013 10:11:42 -0600") Message-ID: <86zjz9f31u.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett , Janne Snabb , khatfield@socllc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 00:52:32 -0000 Mark Felder writes: > Dropping ICMP is not a security method. Please stop doing this! Slight correction: dropping *all* ICMP is a bad idea. You can get by with just unreach. Add timex, echoreq and echorep for troubleshooting. For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add timex, echoreq and echorep for troubleshooting, and routersol and routeradv on networks that use SLAAC. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 07:05:52 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9E0BF470 for ; Wed, 13 Feb 2013 07:05:52 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 5A95FEBB for ; Wed, 13 Feb 2013 07:05:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r1D74XL0011967; Wed, 13 Feb 2013 18:04:34 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 13 Feb 2013 18:04:33 +1100 (EST) From: Ian Smith To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: FreeBSD DDoS protection In-Reply-To: <86zjz9f31u.fsf@ds4.des.no> Message-ID: <20130213175449.O71572@sola.nimnet.asn.au> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1747773286-1360739073=:71572" Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 07:05:52 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1747773286-1360739073=:71572 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote: > Mark Felder writes: > > Dropping ICMP is not a security method. Please stop doing this! > Slight correction: dropping *all* ICMP is a bad idea. You can get by > with just unreach. Add timex, echoreq and echorep for troubleshooting. rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. Are there any negative security implications to including source quench? > For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add > timex, echoreq and echorep for troubleshooting, and routersol and > routeradv on networks that use SLAAC. cheers, Ian --0-1747773286-1360739073=:71572-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 08:28:03 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DF869538; Wed, 13 Feb 2013 08:28:03 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7E321E; Wed, 13 Feb 2013 08:28:03 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 580E66899; Wed, 13 Feb 2013 08:28:02 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 081A4A33F; Wed, 13 Feb 2013 09:28:01 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ian Smith Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au> Date: Wed, 13 Feb 2013 09:28:00 +0100 In-Reply-To: <20130213175449.O71572@sola.nimnet.asn.au> (Ian Smith's message of "Wed, 13 Feb 2013 18:04:33 +1100 (EST)") Message-ID: <86halg4nzj.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 08:28:03 -0000 Ian Smith writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Slight correction: dropping *all* ICMP is a bad idea. You can get by= =20 > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.= =20=20 > Are there any negative security implications to including source quench? See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). TL;DR: they were a bad idea to begin with, and nobody implements them anyway. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 10:08:41 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9F09FFE8 for ; Wed, 13 Feb 2013 10:08:41 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 1E59E840 for ; Wed, 13 Feb 2013 10:08:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r1DA7ebl018038; Wed, 13 Feb 2013 21:07:41 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 13 Feb 2013 21:07:40 +1100 (EST) From: Ian Smith To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: FreeBSD DDoS protection In-Reply-To: <86halg4nzj.fsf@ds4.des.no> Message-ID: <20130213210141.F71572@sola.nimnet.asn.au> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au> <86halg4nzj.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1718178538-1360750060=:71572" Cc: Janne Snabb , khatfield@socllc.net, Mark Felder , freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 10:08:41 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1718178538-1360750060=:71572 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote: > Ian Smith writes: > > Dag-Erling Smørgrav writes: > > > Slight correction: dropping *all* ICMP is a bad idea. You can get by > > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. > > Are there any negative security implications to including source quench? > > See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it > references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). > TL;DR: they were a bad idea to begin with, and nobody implements them > anyway. Fair enough, thanks for the refs, I'm just so out of date .. still chewing on the second and I have a nice fresh icmp-parameters.txt cheers, Ian --0-1718178538-1360750060=:71572-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 16:44:33 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4CFFD4F8 for ; Wed, 13 Feb 2013 16:44:33 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp207.dfw.emailsrvr.com (smtp207.dfw.emailsrvr.com [67.192.241.207]) by mx1.freebsd.org (Postfix) with ESMTP id 1E778F3D for ; Wed, 13 Feb 2013 16:44:33 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 98B20258217; Wed, 13 Feb 2013 11:44:26 -0500 (EST) X-Virus-Scanned: OK Received: by smtp20.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 52B982581B0; Wed, 13 Feb 2013 11:44:26 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Wed, 13 Feb 2013 10:44:23 -0600 To: "Matthew X. Economou" Thread-Topic: FreeBSD DDoS protection X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Wed, 13 Feb 2013 16:44:24 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 16:44:33 -0000 Please read the rest of the thread before criticizing. On Feb 13, 2013, at 9:58 AM, "Matthew X. Economou" wr= ote: > khatfield@s... Writes: >>=20 >> The less you do with the firewall (routing/blocking/inspecting) the >> better. >>=20 >> Drop drop drop ;) >=20 > I think this is really bad advice. A firewall should return > destination-unreachable/reset packets for administratively prohibited > traffic types. Drops, null routes, etc. should only be used in case of > emergency like ongoing DoS attacks or for special cases like stealth > firewalls.=20 >=20 > --=20 > I FIGHT FOR THE USERS >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 15:58:09 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 75B62B82; Wed, 13 Feb 2013 15:58:09 +0000 (UTC) (envelope-from xenophon@irtnog.org) Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 2684DB46; Wed, 13 Feb 2013 15:58:08 +0000 (UTC) Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1]) by mx1.irtnog.org (Postfix) with ESMTP id AF2391C886; Wed, 13 Feb 2013 10:58:07 -0500 (EST) X-Virus-Scanned: amavisd-new at irtnog.org Received: from mx1.irtnog.org ([127.0.0.1]) by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8l-YOTIqZ1C; Wed, 13 Feb 2013 10:58:05 -0500 (EST) Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP; Wed, 13 Feb 2013 10:58:05 -0500 (EST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD DDoS protection X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 13 Feb 2013 10:58:04 -0500 Message-ID: In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD DDoS protection Thread-Index: Ac4HPuiKMbrZCscsSSusNoLTgXoviACuGFlQ References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> From: "Matthew X. Economou" To: , X-Mailman-Approved-At: Wed, 13 Feb 2013 16:56:19 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 15:58:09 -0000 khatfield@s... Writes: >=20 > The less you do with the firewall (routing/blocking/inspecting) the > better. >=20 > Drop drop drop ;) I think this is really bad advice. A firewall should return destination-unreachable/reset packets for administratively prohibited traffic types. Drops, null routes, etc. should only be used in case of emergency like ongoing DoS attacks or for special cases like stealth firewalls.=20 --=20 I FIGHT FOR THE USERS From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 17:51:53 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A265667D; Wed, 13 Feb 2013 17:51:53 +0000 (UTC) (envelope-from xenophon+freebsd@irtnog.org) Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 7611334F; Wed, 13 Feb 2013 17:51:53 +0000 (UTC) Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1]) by mx1.irtnog.org (Postfix) with ESMTP id B0CB21C970; Wed, 13 Feb 2013 12:51:51 -0500 (EST) X-Virus-Scanned: amavisd-new at irtnog.org Received: from mx1.irtnog.org ([127.0.0.1]) by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7jX3-aEx_AJ; Wed, 13 Feb 2013 12:51:46 -0500 (EST) Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP; Wed, 13 Feb 2013 12:51:46 -0500 (EST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD DDoS protection X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 13 Feb 2013 12:51:44 -0500 Message-ID: In-Reply-To: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD DDoS protection Thread-Index: Ac4KCWeOCc1HOkl8RBOaRoCiIm8zagAAZPeg References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> From: "xenophon\\+freebsd" To: , X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 17:51:53 -0000 khatfield@... writes: >=20 > Please read the rest of the thread before criticizing. Let me clarify. Na=EFvely blocking ICMP isn't the only thing firewall = admins should avoid doing. I think that one should construct firewalls = in such a manner that for all prohibited classes of traffic, the = firewall should return the correct destination-unreachable messages (TCP = RST or ICMP UNREACHABLE) to the traffic source. For one, this makes the = presence of a firewall less obvious to attackers, but more importantly, = end users don't have to wait for their connections to mysteriously time = out when they do something prohibited. Black holes and null routes have = their place, such as in response to an active denial of service attack, = but not in the primary traffic control policy. --=20 I FIGHT FOR THE USERS From owner-freebsd-security@FreeBSD.ORG Wed Feb 13 18:31:30 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3EAB21F6 for ; Wed, 13 Feb 2013 18:31:30 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp207.dfw.emailsrvr.com (smtp207.dfw.emailsrvr.com [67.192.241.207]) by mx1.freebsd.org (Postfix) with ESMTP id 0624A7C2 for ; Wed, 13 Feb 2013 18:31:28 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 34D902584D8; Wed, 13 Feb 2013 13:31:28 -0500 (EST) X-Virus-Scanned: OK Received: by smtp20.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id E62D92580AC; Wed, 13 Feb 2013 13:31:27 -0500 (EST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: Message-Id: <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Wed, 13 Feb 2013 12:31:24 -0600 To: "xenophon\\+freebsd" Thread-Topic: FreeBSD DDoS protection X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Wed, 13 Feb 2013 18:31:25 +0000 (UTC) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 18:31:30 -0000 WWVzIGFuZCBsZXQgbWUgY2xhcmlmeS4NCg0KSWYgeW91IHJlYWQgdGhlIHJlc3Qgb2YgdGhpcyBk aXNjdXNzaW9uLCBhbGwgb3RoZXIgZW1haWxzLCB5b3Ugd291bGQgc2VlIHRoYXQgaGFzIGJlZW4g c2FpZCBhbHJlYWR5Lg0KDQoNCg0KDQpPbiBGZWIgMTMsIDIwMTMsIGF0IDExOjUyIEFNLCAieGVu b3Bob25cXCtmcmVlYnNkIiA8eGVub3Bob24rZnJlZWJzZEBpcnRub2cub3JnPiB3cm90ZToNCg0K PiBraGF0ZmllbGRALi4uIHdyaXRlczoNCj4+IA0KPj4gUGxlYXNlIHJlYWQgdGhlIHJlc3Qgb2Yg dGhlIHRocmVhZCBiZWZvcmUgY3JpdGljaXppbmcuDQo+IA0KPiBMZXQgbWUgY2xhcmlmeS4gIE5h w692ZWx5IGJsb2NraW5nIElDTVAgaXNuJ3QgdGhlIG9ubHkgdGhpbmcgZmlyZXdhbGwgYWRtaW5z IHNob3VsZCBhdm9pZCBkb2luZy4gIEkgdGhpbmsgdGhhdCBvbmUgc2hvdWxkIGNvbnN0cnVjdCBm aXJld2FsbHMgaW4gc3VjaCBhIG1hbm5lciB0aGF0IGZvciBhbGwgcHJvaGliaXRlZCBjbGFzc2Vz IG9mIHRyYWZmaWMsIHRoZSBmaXJld2FsbCBzaG91bGQgcmV0dXJuIHRoZSBjb3JyZWN0IGRlc3Rp bmF0aW9uLXVucmVhY2hhYmxlIG1lc3NhZ2VzIChUQ1AgUlNUIG9yIElDTVAgVU5SRUFDSEFCTEUp IHRvIHRoZSB0cmFmZmljIHNvdXJjZS4gIEZvciBvbmUsIHRoaXMgbWFrZXMgdGhlIHByZXNlbmNl IG9mIGEgZmlyZXdhbGwgbGVzcyBvYnZpb3VzIHRvIGF0dGFja2VycywgYnV0IG1vcmUgaW1wb3J0 YW50bHksIGVuZCB1c2VycyBkb24ndCBoYXZlIHRvIHdhaXQgZm9yIHRoZWlyIGNvbm5lY3Rpb25z IHRvIG15c3RlcmlvdXNseSB0aW1lIG91dCB3aGVuIHRoZXkgZG8gc29tZXRoaW5nIHByb2hpYml0 ZWQuICBCbGFjayBob2xlcyBhbmQgbnVsbCByb3V0ZXMgaGF2ZSB0aGVpciBwbGFjZSwgc3VjaCBh cyBpbiByZXNwb25zZSB0byBhbiBhY3RpdmUgZGVuaWFsIG9mIHNlcnZpY2UgYXR0YWNrLCBidXQg bm90IGluIHRoZSBwcmltYXJ5IHRyYWZmaWMgY29udHJvbCBwb2xpY3kuDQo+IA0KPiAtLSANCj4g SSBGSUdIVCBGT1IgVEhFIFVTRVJTDQo+IA0KPiANCj4gX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCj4gZnJlZWJzZC1pc3BAZnJlZWJzZC5vcmcgbWFpbGlu ZyBsaXN0DQo+IGh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVi c2QtaXNwDQo+IFRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLWlzcC11 bnN1YnNjcmliZUBmcmVlYnNkLm9yZyINCg==