From owner-freebsd-hackers Thu Jan 16 11:49:29 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B211537B401 for ; Thu, 16 Jan 2003 11:49:26 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4777543F43 for ; Thu, 16 Jan 2003 11:49:26 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0GJnQZb012228; Thu, 16 Jan 2003 11:49:26 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Thu, 16 Jan 2003 11:49:26 -0800 (PST) From: Josh Brooks To: Terry Lambert Cc: freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <3E2705AE.B7C3D835@mindspring.com> Message-ID: <20030116114531.G9642-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thank you for that advice - it is very well taken. Obviously, my goal is to mitigate as much as possible - I have accepted that I cannot stop all DDoS - my question is, do serious people ever attempt to do the mitigation/load shedding with a host-based firewall (in this case fbsd+ipfw) ? Or would all serious people interested in mitigating attacks use an appliance, like a netscreen ? I will say this - 9/10 attacks that hurt me do not do anything interesting - in fact they are even low bandwidth (2-3 megabits/s) but they have a packet/second rate that just eats up all my firewall cpu and no traffic goes through - and as soon as the attack goes away the firewall is fine. So, I am looking at putting in more sophisticated traffic shaping (limiting packets/s from each IP I have) and skipto rules to make the ruleset more efficient ... but this is going to be a lot of work, and I want to know if it is all just a waste because no matter how good I get at a freebsd firewall, a netscreen 10 will always be better ? thanks. On Thu, 16 Jan 2003, Terry Lambert wrote: > Josh Brooks wrote: > > If I have a large network with high profile hosts (50+ shell servers, 50 > > or more different ircds running) am I wasting my time trying to hack and > > tweak a FreeBSD host-based firewall running ipfw ? > > > > I am getting hammered by a different (D)DoS attack every single day - it's > > always something new. I am thinking of buying a netscreen, but on the > > other hand I really like FreeBSD, I really like a host-based firewall, and > > I hate to admit defeat. > > > You cannot protect yourself against DDOS. > > In the limit, the attacker will fill up your communications > pipes, so no matter what you do, in terms of load-shedding, > you will still end up with the attack being effective. > > You've posted previously that you want to do some things, > like characterizing packet options (e.g. MSS), and dropping > certain packets with or without these options. > > This is merely a load-shedding strategy, and it is, in fact, > one which will not be successful, if you make your choices > in this regard public, since you will provide information to > your attacker as to why his attack, previously effective, is > not ineffective. Th bad news is that, even if you do not > make this information public, an attacker can infer your rules > and "tighten up" the attack, to make it look more like legitimate > traffic, to avoid your rules changes (e.g. adding the MSS option > to SYN packets used in attacks, etc.). In the worst case, the > attacker will merely flood your pipes, if you are effective in > stopping attack packets at your border firewall. > > The only really effective mechanisms for defending against DDOS > attacks are: > > 1) Have a bigger pipe than the aggregate of all your > attackers "robots" -- this has the negative effect > of your attacker, whi;le being unable to take you > off the air, they can still cost you money (e.g. the > "war dialer attack on 1-800 numbers of SPAM'mers and > televangelists, who get charged for call completion). > > 2) DPOS - Distributed Provision Of Service. A DDOS attack > can only work against a small number of targets. As the > number of targets approaches the number of "robots", the > DDOS attack becomes ineffective. > > 3) Identify the attackers, and have them arrested. There > are all sorts of laws which are being violated by a DDOS > attack, but police agencies aren't very sophisticated, > mostly because of their hiring standards, and therefore > you have to do much of their work for them. > > 4) Host something politically or militarily sensitive on > the same server farm. The Men In Black will make your > attackers disappear (unlike police agencies, the > intelligence agencies *are* effective). > > > Or is it generally accepted that if you have that kind of targets on your > > network that you just have to get an appliance - that is, even if the guy > > that wrote ipfw and knows the fbsd kernel inside and out still wouldn't > > even try to make that work ? > > The only thing a firewall can do for you is shed load, even if > it's God's Own Firewall(tm). > > -- Terry > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message