From owner-freebsd-hackers Thu Jan 16 11:20:37 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 896D137B401 for ; Thu, 16 Jan 2003 11:20:35 -0800 (PST) Received: from heron.mail.pas.earthlink.net (heron.mail.pas.earthlink.net [207.217.120.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09FC543EB2 for ; Thu, 16 Jan 2003 11:20:35 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0018.cvx21-bradley.dialup.earthlink.net ([209.179.192.18] helo=mindspring.com) by heron.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18ZFZ2-0007fO-00; Thu, 16 Jan 2003 11:20:33 -0800 Message-ID: <3E2705AE.B7C3D835@mindspring.com> Date: Thu, 16 Jan 2003 11:19:10 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Josh Brooks Cc: freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116104652.T86991-100000@mail.econolodgetulsa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4c1392c731d6595d9fb7e8f3e7cbd587693caf27dac41a8fd350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Josh Brooks wrote: > If I have a large network with high profile hosts (50+ shell servers, 50 > or more different ircds running) am I wasting my time trying to hack and > tweak a FreeBSD host-based firewall running ipfw ? > > I am getting hammered by a different (D)DoS attack every single day - it's > always something new. I am thinking of buying a netscreen, but on the > other hand I really like FreeBSD, I really like a host-based firewall, and > I hate to admit defeat. You cannot protect yourself against DDOS. In the limit, the attacker will fill up your communications pipes, so no matter what you do, in terms of load-shedding, you will still end up with the attack being effective. You've posted previously that you want to do some things, like characterizing packet options (e.g. MSS), and dropping certain packets with or without these options. This is merely a load-shedding strategy, and it is, in fact, one which will not be successful, if you make your choices in this regard public, since you will provide information to your attacker as to why his attack, previously effective, is not ineffective. Th bad news is that, even if you do not make this information public, an attacker can infer your rules and "tighten up" the attack, to make it look more like legitimate traffic, to avoid your rules changes (e.g. adding the MSS option to SYN packets used in attacks, etc.). In the worst case, the attacker will merely flood your pipes, if you are effective in stopping attack packets at your border firewall. The only really effective mechanisms for defending against DDOS attacks are: 1) Have a bigger pipe than the aggregate of all your attackers "robots" -- this has the negative effect of your attacker, whi;le being unable to take you off the air, they can still cost you money (e.g. the "war dialer attack on 1-800 numbers of SPAM'mers and televangelists, who get charged for call completion). 2) DPOS - Distributed Provision Of Service. A DDOS attack can only work against a small number of targets. As the number of targets approaches the number of "robots", the DDOS attack becomes ineffective. 3) Identify the attackers, and have them arrested. There are all sorts of laws which are being violated by a DDOS attack, but police agencies aren't very sophisticated, mostly because of their hiring standards, and therefore you have to do much of their work for them. 4) Host something politically or militarily sensitive on the same server farm. The Men In Black will make your attackers disappear (unlike police agencies, the intelligence agencies *are* effective). > Or is it generally accepted that if you have that kind of targets on your > network that you just have to get an appliance - that is, even if the guy > that wrote ipfw and knows the fbsd kernel inside and out still wouldn't > even try to make that work ? The only thing a firewall can do for you is shed load, even if it's God's Own Firewall(tm). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message