From owner-freebsd-questions@FreeBSD.ORG Mon Mar 15 21:12:06 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DDAC1065673 for ; Mon, 15 Mar 2010 21:12:06 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 0A4588FC18 for ; Mon, 15 Mar 2010 21:12:05 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1NrHa0-0002IK-Jz for freebsd-questions@freebsd.org; Mon, 15 Mar 2010 22:12:04 +0100 Received: from 93-138-83-214.adsl.net.t-com.hr ([93.138.83.214]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 15 Mar 2010 22:12:04 +0100 Received: from ivoras by 93-138-83-214.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 15 Mar 2010 22:12:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Ivan Voras Date: Mon, 15 Mar 2010 22:11:46 +0100 Lines: 33 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 93-138-83-214.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.21 (X11/20090612) In-Reply-To: Subject: Re: Info on DOS mitigation, kernel configuration for DOS mitigation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Mar 2010 21:12:06 -0000 Bogdan Webb wrote: > Hello everyone! > > First of all i would like to apologize to anyone who finds my appeal a lazy > man's choice, actually it's indeed lazy but it's the best way to get an > answer from a valid source. My problem is a potential DOS/DDOS... i know a > forever talked about issue... i've already searched the freebsd's mailing > lists and found some mitigation techniques, to bad that google ain't that > familiar with FreeBSD, and searchin' for guides is a pain... I recall > finding a mitigation technique that involved bandwidth shaping and other ... > I'm using a FreeBSD 7.2-p7 with ipfw and upon testing the rules in those > guides it alerted me that bandwidth modules weren't included in the bsd's > kernel... Anyway could anyone provide me with a good BSD walk trough for DOS kldload dummynet, see loader.conf(5) > mitigation and if needed kernel modules and kernel module integration, mabe > other firewall (but with extended howto..) ... (basically anything regarded > to floods) As you probably guess, a) this is a complex problem because one man's DOS is another's regular traffic - it's complex even to detect something like that, and b) most of the general solutions are not platform-specific but can apply to any operating system, so you can learn it from many sources. First, you need to define what your outgoing network connection is (e.g. "10 mbit/s") and then see what kinds of tradeoffs you are prepared to make to protect yourself. The general advice is: - read ipfw(5), especially sections on dummynet and the "limit" rule - study software like http://codee.pl/cband.html