From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 05:05:53 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB7C21065672 for ; Mon, 22 Sep 2008 05:05:52 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id 641268FC18 for ; Mon, 22 Sep 2008 05:05:52 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by mu-out-0910.google.com with SMTP id i2so1224759mue.3 for ; Sun, 21 Sep 2008 22:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=hriI6iHProxkRY5JvaHUUbJsUVnPiw9NAKlE5bL+0Zk=; b=Tdm6JQBStP9JYQ63KgirVfxELysIdO7wRMBM5pS8dD3IZhsYypkgW2sAsxy/Zs5S96 JCIiFDWC8bWup27MaS/rf6s+vmosANxcKwLWkkctEhgtPU8yTpNUSNqGXlVKQuK2jeBe rVt1AwV+0EQaMg5cJRqLRhCrKIV8Uk8ww6csQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=fRgXnFFZ7G4RMS4vvtk9SFxLht3ZFGkKWktzzVz0ZaQAsL1i4WyuUZtZ9nGRq8m7A/ dYoWiK/pMPo6eB7itlkmPoIgMPSTnTmRXMb/AECVZecwvV5d2vQx90frVLsz81fJBSkH ad2MQeW7ysK2GfMqMCYBu0lpgLXzfTpQwfY7w= Received: by 10.103.219.18 with SMTP id w18mr2281904muq.121.1222059949501; Sun, 21 Sep 2008 22:05:49 -0700 (PDT) Received: by 10.103.247.7 with HTTP; Sun, 21 Sep 2008 22:05:49 -0700 (PDT) Message-ID: Date: Mon, 22 Sep 2008 07:05:49 +0200 From: "Redd Vinylene" To: questions@freebsd.org, misc@openbsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: pf to block against DDoS? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 05:05:53 -0000 > > > > From: Redd Vinylene > > > > To: , > > > > Subject: pf to block against DDoS? > > > > Date: Thursday, September 4, 2008 - 3:23 pm > > > > > > > > Hello hello! > > > > > > > > I was quite shocked today when I heard I could use pf to block against DDoS > > > > attacks, using Stateful Tracking Options, > > > > http://www.openbsd.org/faq/pf/filter.html#stateopts. > > > > > > > > But does anybody have any nice setups of this they'd want to share? > > > > > > > > > > From: Oliver Peter > > > To: Redd Vinylene > > > Cc: , > > > Subject: Re: pf to block against DDoS? > > > Date: Thursday, September 4, 2008 - 4:20 pm > > > > > > ... nice cross-post. > > > > > > I can recommend reading through this as well: > > > http://www.bgnett.no/~peter/pf/en/bruteforce.html > > > > > > -- > > > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > > > "If it feels good, you're doing something wrong." > > > -- Coach McTavish > > > > > > > From: Peter N. M. Hansteen > > To: Oliver Peter > > Cc: Redd Vinylene , , > > Subject: Re: pf to block against DDoS? > > Date: Friday, September 5, 2008 - 1:54 am > > > > Thanks for recommending that! However I would generally recommend the > > maintained version which is up at <http://home.nuug.no/~peter/pf/> ;, > > with the direct link to the part about state tracking and bruteforcers > > at <http://home.nuug.no/~peter/pf/en/bruteforce.html>. > > > > (and of course there's the book, nudge, nudge) > > > > - P > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > > From: Lars Nood=E9n > To: Oliver Peter > Cc: Redd Vinylene , > Subject: Re: pf to block against DDoS? > Date: Thursday, September 4, 2008 - 4:50 pm > > You can also use two tables so that the first overload gets shunted to a > slow queue and given a second chance before ending up in the second > table which gets blocked. > > -Lars Sorry, _this_ is my webserver's pf.conf (the other one was my home firewall's): - mad =3D "80.202.2.3" doom =3D "{ 80.202.2.4 - 80.202.2.127 }" ext_if =3D "rl0" set block-policy return set skip on { lo0 } scrub in table persist pass out keep state block in block quick from pass in on $ext_if inet proto tcp from any to any port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global= ) pass in on $ext_if inet proto tcp from any to $mad port { 25, 53, 80, 110 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass in on $ext_if inet proto udp from any to $mad port 53 keep state pass in on $ext_if inet proto tcp from any to $doom port { 20, 21, 113, 6000:9999 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass in on $ext_if inet proto icmp from any to any keep state - I hope the design adheres to: http://en.wikipedia.org/wiki/KISS_principle --=20 http://www.home.no/reddvinylene