From owner-freebsd-pf@FreeBSD.ORG Mon Aug 20 17:20:28 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E240A1065670 for ; Mon, 20 Aug 2012 17:20:27 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 6F4FA8FC18 for ; Mon, 20 Aug 2012 17:20:27 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so5478402wgb.31 for ; Mon, 20 Aug 2012 10:20:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8qyLrUK4049tUmBur2s5VQ10ZW2WN1o9Kqgnz2hSojU=; b=fajG92edXqowESheXW97MIDSPQ2e72j8nlRLoNT8tmQoauXVQMoSOeGXYY+l/wywBq io3EfxX5FzfSZligqqqwbKYOBXpHYShf2FTXjSfI4NTVGq40KhNjOOO6nqXm39EDah3Z sCOiPf7z6wVpkdihzLU+M7EOZodDMgw4u6eNdD5uzldxBedb/f7ky8esglu0WPsRUgzU rZichTOVBkfrsi274JE7L4JGgi8xFf1KuNMDWViUIezFHnS5jVHNLsWPpfRlXUaPOIWv GSS0/WhiEcJejkpVWRiznDqWQToo59YEQhGso9Rfb88G/9FYYbQJNXFBGMBT60Stdd6i PL+g== Received: by 10.180.78.4 with SMTP id x4mr29303526wiw.19.1345483226164; Mon, 20 Aug 2012 10:20:26 -0700 (PDT) Received: from [192.168.32.241] ([79.110.197.42]) by mx.google.com with ESMTPS id dc3sm28950763wib.7.2012.08.20.10.20.25 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 20 Aug 2012 10:20:25 -0700 (PDT) Message-ID: <503271D8.1040707@gmail.com> Date: Mon, 20 Aug 2012 19:20:24 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20120820162752.GA28945@DataIX.net> In-Reply-To: <20120820162752.GA28945@DataIX.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Fighting DDOS attacks with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 17:20:28 -0000 W dniu 20.08.2012 18:27, Jason Hellenthal pisze: > All of the methods listed in more recent messages are just fine of > methods to *somewhat* handle the DDoS on the hosts being attacked. > > - *But* - > > The only way you are going to take care of this is going to you're > provider at the next level and asking them for assistance. Most of the > addresses you will be seeing are probably spoofed or part of some > amplification attack at which you will end up blocking out legitimate > customers anyhow. > > So level up and go to your're Tier 2, Tier 1's. Beside, I advise you check thoroughly from where the attacks are actually coming from. In our case a lot of ACK and SYN attack with IP addresses looking like PA or PI addresses outside our network eventually appeared to be our customers having those public addresses spoofed on their machines causing global chaos. I am not sure which malware was causing such behaviour, but make your research in that direction. Check if those massive SYN are actually coming from WAN. Use tcpdump or trafshow to review if this public address are really in WAN. > > On Mon, Aug 20, 2012 at 11:53:09AM -0400, J David wrote: >> Hello, >> >> We experience frequent DDOS attacks, and we're having a tough time >> mitigating them with pf. We have plenty of bandwidth and processing >> power, we just can't seem to get the rules right. >> >> If, for example, I have a single IP address on the outside attacking a >> range of IPs on the inside, it is very easy to write a max-src-states >> rule that will count the states for that IP and flush the attacker to >> a "drop quick" table if they exceed the limit. >> >> However, the nature of a DDOS attack is that there is not a single >> source IP. The source IP is either outright forged or one of a large >> number of compromised attacking hosts. So what I really want to do is >> have a "max-dst-states" rule that would at least temporarily blackhole >> an IP being attacked, but there's no such thing. >> >> Currently we have to run a script once per minute that parses "pfctl >> -s info" looking for large numbers of states to a common destination. >> But as we have our states set to 1000000, this is really inefficient >> and of course takes at least a minute to catch up to an attack. >> >> Is there a better way to do this? >> >> This is on FreeBSD 9.1-PRERELEASE #0 r238540. >> >> Thanks for any help! >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"