Date: Sun, 10 Feb 2013 10:35:57 -0600 From: khatfield@socllc.net To: James Howlett <jim.howlett@outlook.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD DDoS protection Message-ID: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> In-Reply-To: <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
James, That's very helpful to know. So at this time are you doing NAT from the rou= ter or simply passing all traffic and allowing the switch to sort it out? You can google sflow for FreeBSD. There is an export tool for netflow which= I have used that exports as sflow via a bridge type conversion. Works incr= edibly well. ICMP can be blocked safely but it does need to be specific. For example you= can allow ping and disallow bogus ICMP. You can safely block, for example,= UDP port 0 which is commonly attacked. If you do not wish to make it public, it's fine. However, you can send me y= our current pf rules and I can take a look and provide some recommendations= . Additionally, it would be good to know the switch you're using. I'm guessin= g since it's sflow that it's Juniper. There are some very useful ACL's that= can be put in at the switch. However, if the BSD box is either live locking or crashing then you need to= fix that first. I would state that enabling polling can be done from the command line if it= 's already enabled in the kernel. Enabling polling in itself without tweaking it could likely increase your o= verall PPS limitations by 70%. So I recommend doing that immediately and ju= st placing it on your public facing NIC first. Thanks, Kevin On Feb 10, 2013, at 3:07 AM, "James Howlett" <jim.howlett@outlook.com> wrot= e: > Hello, >=20 > Kevin, thank You for the information. >=20 >> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I= am unsure of your connection I cannot recommend specifics. However, it is = best to configure polling, tweak sysctl (buffers/sockets/etc), install pf o= r ipfw and do some straight forward deny/allow + source spoof settings. >>=20 >> Above all, don't go overboard with firewall configuration. People often = try to do far too much tracking/packet rate limiting, etc. It just burns up= free resources. >=20 > Let me tell You a bit about my setup. All my connections to ISP's are 1Gi= gabit each. > They are terminated on a my switch, and the router is connected to that s= witch. >=20 >> Deny all ICMP (drop I mean) and UDP except where specifically required. >=20 > Is droping ICMP really helpful? I can limit ICMP only to my monitoring ho= st - that is no problem. >=20 >> And just do general hardening... Get yourself a static IP or VPN. Deny a= ll console/ssh access except to that IP. Same here, a simple host deny will= satisfy this need. >=20 > This is already done. I also have out of band management to my router ove= r a different network connection. If all my ISP's fail I can still connect = to that router. >=20 >> The less you do with the firewall (routing/blocking/inspecting) the bett= er. >>=20 >> Drop drop drop ;) >>=20 >> In the end, proper tuning with a good Intel NIC and you can saturate a 1= Gbps connection with legit traffic and block most high PPS floods as long a= s they don't saturate the link. >=20 > I have the following ethernet cards in my router: > device =3D '82579LM Gigabit Network Connection' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82571EB Gigabit Ethernet Controller' > device =3D '82574L Gigabit Network Connection' >=20 > but at this moment I use only the 82571EB model. >=20 >> I have ran similar configurations in 10Gbps scenarios and there are cert= ainly limitations even in 1Gbps cases... Though, you can't plan for everyth= ing - the best you can do is be prepared for the majority of general UDP/IC= MP/TCP SYN or service specific attacks like SSH/FTP, etc. >=20 > At this moment an attack on 80 port kills my network connection with the = number of PPS. 200000 is reached in a second and the router can't proccess = any new connections. >=20 >> I'm actually at dinner so I apologize for the lack of further detail. I'= m not even certain this makes sense but hopefully it helps. >=20 > There is nothing to apologize for - You are most helpful. >=20 >> I have my configs which I can send by tomorrow if needed. (For examples) >=20 > That would be great. >=20 > All best, > Jim >=20 > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?935214494.7700.1360514165103>