From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:16:23 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EE324F76; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id AC1D8A7; Sun, 10 Feb 2013 09:16:23 +0000 (UTC) Received: from toasty.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id C25B29586D; Sun, 10 Feb 2013 04:16:12 -0500 (EST) References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> In-Reply-To: Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii Message-Id: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> Content-Transfer-Encoding: quoted-printable From: Charles Sprickman Subject: Re: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 04:16:12 -0500 To: James Howlett X-Mailer: Apple Mail (2.1085) X-Mailman-Approved-At: Sun, 10 Feb 2013 12:19:28 +0000 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:16:24 -0000 On Feb 10, 2013, at 4:06 AM, James Howlett wrote: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. = Since I am unsure of your connection I cannot recommend specifics. = However, it is best to configure polling, tweak sysctl = (buffers/sockets/etc), install pf or ipfw and do some straight forward = deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People = often try to do far too much tracking/packet rate limiting, etc. It just = burns up free resources. >>=20 >=20 > Let me tell You a bit about my setup. All my connections to ISP's are = 1Gigabit each. > They are terminated on a my switch, and the router is connected to = that switch. I think you'll get some better input if you address some of what Kevin = noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? When you get hit, you mentioned it's 200K pps, how much bandwidth? How = many different source IPs? I know on a "real" router, having Netflow configured and dumping info to = a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. Charles >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically = required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring = host - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. = Deny all console/ssh access except to that IP. Same here, a simple host = deny will satisfy this need. >>=20 >=20 > This is already done. I also have out of band management to my router = over a different network connection. If all my ISP's fail I can still = connect to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the = better. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate = a 1Gbps connection with legit traffic and block most high PPS floods as = long as they don't saturate the link. >>=20 >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are = certainly limitations even in 1Gbps cases... Though, you can't plan for = everything - the best you can do is be prepared for the majority of = general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. >>=20 >=20 > At this moment an attack on 80 port kills my network connection with = the number of PPS. 200000 is reached in a second and the router can't = proccess any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. = I'm not even certain this makes sense but hopefully it helps. >>=20 >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For = examples) >>=20 >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"