From owner-freebsd-pf@FreeBSD.ORG Fri May 18 13:56:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5CA216A402 for ; Fri, 18 May 2007 13:56:05 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id A44F713C45A for ; Fri, 18 May 2007 13:56:05 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so221971and for ; Fri, 18 May 2007 06:56:05 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=W6sEi1UuqUOx4sB7k3gAeniGMLjFh4mHElm+p6iXdqKxLV0Z78H6m8UvjwkXWXegln7oirUjWZ112CPaOLDwFK7ySOnTF/uejH0JI1+7z80ATEbJa6gpCkzipo+CtWHPaZP2cxXGGIhGrJoqgrUtRGrjP1cRn86Ges2Wbvkk/ME= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uK/BtmmfoI9EPcLDscU/wSQMQsvhks3T1JxAE7Wekix3s5TdMrF/d9kx+C9D42lzAa/sAovqgOukidnA2NxEbTkOMjzf7INQ87082Qt7GgMMm8t++BtIm6UtQCNsDYwJ3yXUeMQCoObZXRN9unAYBJ0VzKeg6SELzLrm9jPRnCc= Received: by 10.100.134.2 with SMTP id h2mr1141929and.1179496565094; Fri, 18 May 2007 06:56:05 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 06:56:05 -0700 (PDT) Message-ID: <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Date: Fri, 18 May 2007 16:56:05 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: Volker In-Reply-To: <464D6880.2080306@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 13:56:06 -0000 On 5/18/07, Volker wrote: > > This isn't bandwidth issue, but filling the network buffer more than > > anything else, so there are no more free sockets, and I can't connect > > to the server via ssh, it's not syn as well. > > > > But mass connect to IRC server with small bw, and the server isn't > > lagged at all. > > > > Rate: 245,919 Packets Per Second > > > > What is the best way to deal with such DDoS? > > Abdullah, > > I'm not quite sure if I get you right. > > if tcp traffic arrives without a SYN set, you can easily block that by > using 'pass ... flags S/SA' so the traffic never reaches your daemon. > > Also for tcp traffic you may want to try 'synproxy state'. > > The last thing you can do is to use altq, feed the traffic into a low > bandwidth queue and still be able to serve other traffic. As you can't > control the downstream usage that way, you're at least able to limit > the response and slow down traffic that way a bit. I'm doing this for > SMTP traffic and it works great (I'm slowing down all SMTP traffic > from windows boxes to my home server to a maximum of 6 kBit/s - non > windows boxes are getting 40 kBit/s for SMTP connections, a bit too > rude, I know but it works). > > Keep in mind, if you're under a DDoS attack, your bandwidth may still > be eaten up, but the effects on your machine will be limited when > using S/SA + synproxy state + bandwidth limiting. > > If I get you wrong, please explain your problem a bit more detailed. > > HTH > > Volker > Thank you for the tip. Here what I'm using which fixed the issue. pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any keep state Comments? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/