Date: Sat, 28 Jun 2003 04:47:12 +0100 From: Jez Hancock <jez.hancock@munk.nu> To: FreeBSD questions List <freebsd-questions@freebsd.org> Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting Message-ID: <20030628034712.GA67871@users.munk.nu> In-Reply-To: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> References: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Regarding your main question I'm afraid I can't really help - although what the other person said about not being able to do a whole lot about it I think is generally the case unfortunately. I run a number of eggdrop bots on my home network (about 20 full time bots in all, around 100 shell users in all) and have seen a few similar DDoS attacks from botnets (characterized by open ports 80 and 113) which really clogged the system. Luckily in my case the last attack was a relatively simple ICMP attack with fragmented packets (_lots_ of them, around 30MB in 5 minutes on a 512k ADSL connection). This was easy enough to block with ipf (incidentally you are using ipf aren't you:). Very annoying and generally I just felt like stopping my users from running their eggdrops (as you no doubt know there's little way to tell exactly what/who caused the attack to be brought about, banning one user who has brought it on isn't possible). > And a last thing, I use right now tcpdump, trafshow, ipfm to trace the source(attackers) and the destination(which one of my ips is attacked) ips. Do you suggest any other tools to make my life easier? lsof is very useful for gaining additional insight into network connections. I found the perl scripts located in the scripts directory to be very insightful, particularly in how to incorporate lsof into a custom tool. I particularly needed to know which eggdrop was attempting to connect to private address ranges which were blocked by the firewall and causing lots of log entries. lsof easily allowed me to determine what user owned the process that spawned these connection attempts (sockstat/netstat is ok, but filtering lsof output is a lot easier). Anyway, good luck, Regards, Jez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030628034712.GA67871>