From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 21:08:28 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2F4F44DC; Sun, 10 Feb 2013 21:08:28 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1.freebsd.org (Postfix) with ESMTP id 031D42B7; Sun, 10 Feb 2013 21:08:27 +0000 (UTC) Received: from frankentosh.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id 168379586B; Sun, 10 Feb 2013 16:08:22 -0500 (EST) Subject: Re: FreeBSD DDoS protection Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Charles Sprickman In-Reply-To: Date: Sun, 10 Feb 2013 16:08:21 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> To: James Howlett X-Mailer: Apple Mail (2.1085) Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 21:08:28 -0000 On Feb 10, 2013, at 4:42 AM, James Howlett wrote: > Hello, >=20 >=20 >> I think you'll get some better input if you address some of what = Kevin noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? >=20 > 1. I use pf on the router. > 2. My setup looks like this = ISP---switch---FreeBSD_router---Juniper_firewall =20 > So as long as my router can proccess the traffic I'll can manage all = the rest (eg. customer firewalls, zoning etc) on my Juniper hardware. > 3. The rules at the moment just filter SSH connections to the router.=20= > 4. I'm looking into enabling pooling, but I need to test it before it = goes to production. >=20 >=20 >>=20 >> When you get hit, you mentioned it's 200K pps, how much bandwidth? = How many different source IPs? >=20 > Hard to say at the moment, but it was a DDoS for sure. Multiple hosts = connecting to one single port on a single machine. >=20 >> I know on a "real" router, having Netflow configured and dumping info = to a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. >=20 > I can collect sFlow from my switch so that should do it. What software = would You recomend for netflow analysis? I'm not sure I can recommend it, because it's quite old, but I use = flow-tools and just query on the command line for top X destinations - = inevitably, even if the old Cisco is tanking from the load, it's able to = spit out enough info to give me an idea of what's being targetted. I'm probably going to move to nfsen/nfdump, as that seems to be the = modern solution: http://nfsen.sourceforge.net/ >=20 > Jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"