From owner-freebsd-questions@FreeBSD.ORG  Thu Oct  7 15:37:39 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E018616A4CE; Thu,  7 Oct 2004 15:37:38 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk
	(happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1B88743D3F; Thu,  7 Oct 2004 15:37:38 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	i97FbZvI001253
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 7 Oct 2004 16:37:35 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i97FbZ6w001252;
	Thu, 7 Oct 2004 16:37:35 +0100 (BST)	(envelope-from matthew)
Date: Thu, 7 Oct 2004 16:37:35 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: "Marc G. Fournier" <scrappy@hub.org>
Message-ID: <20041007153735.GB691@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	"Marc G. Fournier" <scrappy@hub.org>, freebsd-net@freebsd.org,
	freebsd-isp@freebsd.org, freebsd-questions@freebsd.org
References: <20041007120946.K2822@ganymede.hub.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN"
Content-Disposition: inline
In-Reply-To: <20041007120946.K2822@ganymede.hub.org>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 07 Oct 2004 16:37:35 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-isp@freebsd.org
cc: freebsd-net@freebsd.org
cc: freebsd-questions@freebsd.org
Subject: Re: Reduce effects of DDoS attack ...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2004 15:37:39 -0000


--GID0FwUMdk1T2AWN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 07, 2004 at 12:19:28PM -0300, Marc G. Fournier wrote:
>=20
> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... las=
t=20
> night, a DDoS attack against a network "beside us" cause 70+% packet loss=
=20
> on our network, and I'm trying to figure out if there is anything I can d=
o=20
> from my side to "compensate" for this ...
>=20
> I run ipaudit on all our servers, and a normal 30 minute period looks=20
> like:
>=20
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
>    12107
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
>      112
> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
>    12219
>=20
> where 200.046.204 is our C-class ...
>=20
> Now, when the DDoS attack is running, those stats change to:
>=20
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
>     5815
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
>   594189
> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
>   600004
>=20
> We're getting *alot* of traffic on our network that just is not ours ...

Seems that when the CISCO box upstream gets overloaded it starts
sending packets everywhere, instead of just to the networks they're
intended for.

You could put in a filtering bridge upstream of your unmanaged switch,
which would let you strip out everything not intended for your
assigned subnet.  However, as your FreeBSD servers seem to be handling
the load just fine, that probably won't do you much good.

If the switch upstream of you is completely overloaded, there's not a
lot you can do, other than get your network moved over to some less
loaded equipment. =20

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--GID0FwUMdk1T2AWN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBZWK/iD657aJF7eIRAspBAJ9IXfZWOznX1FEHBH+6IozLGaWB/gCcDiKm
YcZ2C7HEvAfxJEUUObKmBiU=
=Zoc4
-----END PGP SIGNATURE-----

--GID0FwUMdk1T2AWN--