From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 16:37:03 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085E716A418 for ; Sat, 24 Nov 2007 16:37:03 +0000 (UTC) (envelope-from zhangweiwu@realss.com) Received: from bossdog.realss.com (bossdog.realss.com [211.157.108.128]) by mx1.freebsd.org (Postfix) with ESMTP id 9B8E513C4E1 for ; Sat, 24 Nov 2007 16:37:01 +0000 (UTC) (envelope-from zhangweiwu@realss.com) Received: from localhost (unknown [127.0.0.1]) by bossdog.realss.com (Postfix) with ESMTP id 2354B1C0033; Sun, 25 Nov 2007 00:36:57 +0800 (CST) Received: from bossdog.realss.com ([127.0.0.1]) by localhost (bossdog.realss.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01835-13; Sun, 25 Nov 2007 00:36:56 +0800 (CST) Received: from [10.0.0.3] (unknown [123.118.173.164]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bossdog.realss.com (Postfix) with ESMTP id 20D911C0023; Sun, 25 Nov 2007 00:36:56 +0800 (CST) Message-ID: <47485320.1070002@realss.com> Date: Sun, 25 Nov 2007 00:36:48 +0800 From: Zhang Weiwu User-Agent: Thunderbird 1.5.0.14pre (X11/20071023) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <47483686.3030400@realss.com> <53a565700711240738n1cecd432td03a9e00aa689d13@mail.gmail.com> In-Reply-To: <53a565700711240738n1cecd432td03a9e00aa689d13@mail.gmail.com> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at bossdog.realss.com Cc: Quan Qiu Subject: [SOLVED] Re: how to fight concurrent connection DOS attack to FreeBSD ftpd? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 16:37:03 -0000 Thank you very much for everyone helped me. As a summary: 1. Bill Moran pointed out the mistake in ftpd.conf which should refer to lukemftpd (but referred to ftpd); He also suggested using lukemftpd in place of ftpd, but my ftpd is patched by myself and I prefer not to patch it again to lukemftpd (too few time now), thus I prefer keep using ftpd; 2. JD Bronson suggested using pf for controlling traffic, which is more powerful and can solve more problems, but takes a learning curve; 3. Quan Qiu gave an instant fix method, start ftpd from inetd.conf, which worked instantly solved my problem. I also need to give not only nowait/50/10 But also nowait/50/10/10 Because the attacker is very determined, with "nowait/50/10" he makes sure I got 50 connections after 5 minutes, making other people not able to login. Quan Qiu wrote: > On Nov 24, 2007 10:34 PM, Zhang Weiwu wrote: > >> I run a ftp site which is being attacked by someone who issue some 1000 >> concurrent connection for downloading as anonymous. How can I fight back? >> > > >> If ftpd.conf is not the right manual page to read, can you suggest which >> configuration manual to read to fight back this attack? Thanks in advance! >> >> > > > Try wrapping your ftpd using inetd. There are some limits to max child > processes and max connections per ip in inetd.conf(5). An example for > vsftpd: > > ftp stream tcp nowait/50/10 > root /usr/local/libexec/vsftpd vsftpd > > Refer to the inetd.conf(5) manpage for more. > >