Date: Mon, 22 Sep 2008 07:05:49 +0200 From: "Redd Vinylene" <reddvinylene@gmail.com> To: questions@freebsd.org, misc@openbsd.org Subject: Re: pf to block against DDoS? Message-ID: <f1019d520809212205n2316110fg7328584a07f17d23@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> > > > From: Redd Vinylene <reddvinylene@...> > > > > To: <questions@...>, <misc@...> > > > > Subject: pf to block against DDoS? > > > > Date: Thursday, September 4, 2008 - 3:23 pm > > > > > > > > Hello hello! > > > > > > > > I was quite shocked today when I heard I could use pf to block against DDoS > > > > attacks, using Stateful Tracking Options, > > > > http://www.openbsd.org/faq/pf/filter.html#stateopts. > > > > > > > > But does anybody have any nice setups of this they'd want to share? > > > > > > > > > > From: Oliver Peter <lists@...> > > > To: Redd Vinylene <reddvinylene@...> > > > Cc: <questions@...>, <misc@...> > > > Subject: Re: pf to block against DDoS? > > > Date: Thursday, September 4, 2008 - 4:20 pm > > > > > > ... nice cross-post. > > > > > > I can recommend reading through this as well: > > > http://www.bgnett.no/~peter/pf/en/bruteforce.html > > > > > > -- > > > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > > > "If it feels good, you're doing something wrong." > > > -- Coach McTavish > > > > > > > From: Peter N. M. Hansteen <peter@...> > > To: Oliver Peter <lists@...> > > Cc: Redd Vinylene <reddvinylene@...>, <questions@...>, <misc@...> > > Subject: Re: pf to block against DDoS? > > Date: Friday, September 5, 2008 - 1:54 am > > > > Thanks for recommending that! However I would generally recommend the > > maintained version which is up at <http://home.nuug.no/~peter/pf/> ;, > > with the direct link to the part about state tracking and bruteforcers > > at <http://home.nuug.no/~peter/pf/en/bruteforce.html>. > > > > (and of course there's the book, nudge, nudge) > > > > - P > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > > From: Lars Nood=E9n <larsnooden@...> > To: Oliver Peter <lists@...> > Cc: Redd Vinylene <reddvinylene@...>, <misc@...> > Subject: Re: pf to block against DDoS? > Date: Thursday, September 4, 2008 - 4:50 pm > > You can also use two tables so that the first overload gets shunted to a > slow queue and given a second chance before ending up in the second > table which gets blocked. > > -Lars Sorry, _this_ is my webserver's pf.conf (the other one was my home firewall's): - mad =3D "80.202.2.3" doom =3D "{ 80.202.2.4 - 80.202.2.127 }" ext_if =3D "rl0" set block-policy return set skip on { lo0 } scrub in table <bruteforce> persist pass out keep state block in block quick from <bruteforce> pass in on $ext_if inet proto tcp from any to any port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global= ) pass in on $ext_if inet proto tcp from any to $mad port { 25, 53, 80, 110 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) pass in on $ext_if inet proto udp from any to $mad port 53 keep state pass in on $ext_if inet proto tcp from any to $doom port { 20, 21, 113, 6000:9999 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) pass in on $ext_if inet proto icmp from any to any keep state - I hope the design adheres to: http://en.wikipedia.org/wiki/KISS_principle --=20 http://www.home.no/reddvinylene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f1019d520809212205n2316110fg7328584a07f17d23>