Date: Sun, 10 Feb 2013 04:16:12 -0500 From: Charles Sprickman <spork@bway.net> To: James Howlett <jim.howlett@outlook.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "khatfield@socllc.net" <khatfield@socllc.net> Subject: Re: FreeBSD DDoS protection Message-ID: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> In-Reply-To: <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 10, 2013, at 4:06 AM, James Howlett wrote: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. = Since I am unsure of your connection I cannot recommend specifics. = However, it is best to configure polling, tweak sysctl = (buffers/sockets/etc), install pf or ipfw and do some straight forward = deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People = often try to do far too much tracking/packet rate limiting, etc. It just = burns up free resources. >>=20 >=20 > Let me tell You a bit about my setup. All my connections to ISP's are = 1Gigabit each. > They are terminated on a my switch, and the router is connected to = that switch. I think you'll get some better input if you address some of what Kevin = noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? When you get hit, you mentioned it's 200K pps, how much bandwidth? How = many different source IPs? I know on a "real" router, having Netflow configured and dumping info to = a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. Charles >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically = required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring = host - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. = Deny all console/ssh access except to that IP. Same here, a simple host = deny will satisfy this need. >>=20 >=20 > This is already done. I also have out of band management to my router = over a different network connection. If all my ISP's fail I can still = connect to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the = better. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate = a 1Gbps connection with legit traffic and block most high PPS floods as = long as they don't saturate the link. >>=20 >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are = certainly limitations even in 1Gbps cases... Though, you can't plan for = everything - the best you can do is be prepared for the majority of = general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. >>=20 >=20 > At this moment an attack on 80 port kills my network connection with = the number of PPS. 200000 is reached in a second and the router can't = proccess any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. = I'm not even certain this makes sense but hopefully it helps. >>=20 >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For = examples) >>=20 >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?850217A5-05F0-499C-A353-7C675452E6D7>