From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 16:27:57 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 552D4106564A for ; Mon, 20 Aug 2012 16:27:57 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id EEA628FC0C for ; Mon, 20 Aug 2012 16:27:56 +0000 (UTC) Received: by yenl7 with SMTP id l7so6298507yen.13 for ; Mon, 20 Aug 2012 09:27:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=6alNyDRLbH4asF+n0yJLCxCAEfuWq4iypZygF11ijaM=; b=PqenmP0X1pocf74d9aV2eIuxCzr1MMP7nl3GSsfNiFPQUXuSCy5TIURm53d2xRDZY3 VUnN+DAceDFpxUYzmAzWbxTZS9Vv+dSPDgnzIt0uJxCu7A+lxGo++/ytUx5PGt3Q0BUx kA7wZoq1VRH2Aqbz3F8B7CDBhndpm88pS5D4Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=6alNyDRLbH4asF+n0yJLCxCAEfuWq4iypZygF11ijaM=; b=hY7aSW13Iyw2me05Nx5ZKke7usfjqWan4eDk81yR3OojePNSDUTD+JE2TXujrdhKFX OmkYx5mGx/WovIvJQ7soJrBk3t+vQG3Eaf0lfEucpMetsLwh1aXIW2oQGFbtB3Kd6Qi/ dph5FWS+j5IEIRsG7i2HRIHUhv3gf07CQ6/n/vkh7yoDlFF1IpCNDL01AH1KQW2FK7LW K06yifMEX+Q8p026dkuopq/f7Z4qeyPDuX8k5fGLUfxMTlwkCiU8ctEoGvG751Ze0HsW KM/OwW0+kblhek0pOPRQnWi6f4PTvcsRlP28ETAlFPc8bRWmGxHyObKJ9wbldpML/XAz WlpQ== Received: by 10.50.154.225 with SMTP id vr1mr10334849igb.70.1345480075911; Mon, 20 Aug 2012 09:27:55 -0700 (PDT) Received: from DataIX.net (adsl-108-73-114-157.dsl.klmzmi.sbcglobal.net. [108.73.114.157]) by mx.google.com with ESMTPS id gy9sm13273293igc.1.2012.08.20.09.27.54 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 20 Aug 2012 09:27:55 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q7KGRqJ5029134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Aug 2012 12:27:53 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q7KGRq6Y029133; Mon, 20 Aug 2012 12:27:52 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Mon, 20 Aug 2012 12:27:52 -0400 From: Jason Hellenthal To: J David Message-ID: <20120820162752.GA28945@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQmO9/ieE4eTOGLkzEq4plYceQGMkIdfKKj+iyCb/TNZWfaMxvl2/cqEW213KWq2GOYByl4D Cc: freebsd-pf@freebsd.org Subject: Re: Fighting DDOS attacks with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 16:27:57 -0000 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable All of the methods listed in more recent messages are just fine of methods to *somewhat* handle the DDoS on the hosts being attacked. - *But* - The only way you are going to take care of this is going to you're provider at the next level and asking them for assistance. Most of the addresses you will be seeing are probably spoofed or part of some amplification attack at which you will end up blocking out legitimate customers anyhow. So level up and go to your're Tier 2, Tier 1's. On Mon, Aug 20, 2012 at 11:53:09AM -0400, J David wrote: > Hello, >=20 > We experience frequent DDOS attacks, and we're having a tough time > mitigating them with pf. We have plenty of bandwidth and processing > power, we just can't seem to get the rules right. >=20 > If, for example, I have a single IP address on the outside attacking a > range of IPs on the inside, it is very easy to write a max-src-states > rule that will count the states for that IP and flush the attacker to > a "drop quick" table if they exceed the limit. >=20 > However, the nature of a DDOS attack is that there is not a single > source IP. The source IP is either outright forged or one of a large > number of compromised attacking hosts. So what I really want to do is > have a "max-dst-states" rule that would at least temporarily blackhole > an IP being attacked, but there's no such thing. >=20 > Currently we have to run a script once per minute that parses "pfctl > -s info" looking for large numbers of states to a common destination. > But as we have our states set to 1000000, this is really inefficient > and of course takes at least a minute to catch up to an attack. >=20 > Is there a better way to do this? >=20 > This is on FreeBSD 9.1-PRERELEASE #0 r238540. >=20 > Thanks for any help! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 - (2^(N-1)) JJH48-ARIN --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJQMmWHAAoJEBSh2Dr1DU7WtI8IAIeA19ZBUi/GPG/wiwosNpi1 l5W7FcURe3OQUFOoXdR2VrQ4kUhlrDKvLBbFQy+yoWE7klG9LyfKA0/lgRsKRoOr c38/TWoUZC5y3znJ0MfefQunTiT3RAV42c0oxP0V96j+mscOkCzLrJ11lNleYB+g 6J8qOzq+YXubaq5tYbpRviZY2qtZuKOU2EE+iPYguAREV+9RXiY+1/7D4VsB7swQ RL2u2nf9DsN+9fXhjkR8Hazze3W6ou8bVKfwWQFcYXHKGHClgGf2G6gAfMAe6LYD TMuJGfQbm59OysenF6jxy3aebPHheZnPOUZKpnF35I2OVBfs9v7hvsdMElp8R2g= =FgO7 -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G--