From owner-freebsd-net Sun Jan 5 13:31:27 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58B4637B401 for ; Sun, 5 Jan 2003 13:31:25 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A9AD43EE5 for ; Sun, 5 Jan 2003 13:31:24 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h05LVPZb022443; Sun, 5 Jan 2003 13:31:25 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Sun, 5 Jan 2003 13:31:24 -0800 (PST) From: Josh Brooks To: Lars Eggert Cc: freebsd-net@freebsd.org Subject: Re: Need help dealing with (D)DoS attacks (desperately) In-Reply-To: <3E18A1BA.8000607@isi.edu> Message-ID: <20030105132545.I80512-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Ok, right now this second, everything is normal, I am not under attack AFAIK, and everything is working wonderfully - and when I run top I see: 21 processes: 1 running, 20 sleeping CPU states: 0.0% user, 0.0% nice, 0.0% system, 41.7% interrupt, 58.3% idle Mem: 6812K Active, 43M Inact, 28M Wired, 28K Cache, 35M Buf, 170M Free Swap: 128M Total, 128M Free and it fluctuates between 20-60% idle So it does look like the cpu is ... being used :) uptime tells me: # uptime 1:22PM up 20 days, 11:52, 2 users, load averages: 0.02, 0.01, 0.00 ----- ipfw rules: # ipfw show | wc -l 927 So, I have 927 ipfw tules in place - but I am guessing that about 800 of those rules are just "count" rules for me to count bandwidth: 001 164994 120444282 count ip from any to 10.10.10.10 002 158400 16937232 count ip from 10.10.10.10 to any ------ CPU is a ... celeron 500 ? 600 ? Something like that, and I have 256 megs ram. More infomration: although it looks like I am using a lot of cpu, and do indeed have a lot of ipfw rules, I _do know_ that it was an attack, as it was aimed at IPs running very high profile services (ircd, etc.) that have been targets in the past. We filtered those IPs and the problem went away instantly. So again, what should I be looking to add ? Before my list included only the syn/fin protection, and now I am being told to block all icmp types besides 0,3,8,11. Any other thoughts ? thanks! On Sun, 5 Jan 2003, Lars Eggert wrote: > On 1/5/2003 1:05 PM, Josh Brooks wrote: > > > > I am running this as my firewall/router: > > > > 4.4-RELEASE FreeBSD 4.4-RELEASE #0 > > > > And I have no ability to change that anytime soon. Recently I have been > > having a lot of trouble with floods/ddos/etc. When these attacks occur, > > my firewall is totally unresponsive, I cannot ssh in to type a single > > command (and thus cannot tcpdump anything) and clients of systems on the > > inside either get no response, or get: > > What processor and NICs do you use? This sounds like your machine is > being pushed into livelock, which shouldn't happen at the traffic load > you described (when you say "megs", do you mean Mb/s or MB/s?) > Complicated firewall rule sets also eat CPU time. > > Lars > -- > Lars Eggert USC Information Sciences Institute > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message