From owner-freebsd-hackers Thu Jan 16 12: 8:38 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA5A437B401 for ; Thu, 16 Jan 2003 12:08:35 -0800 (PST) Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B07D43E4A for ; Thu, 16 Jan 2003 12:08:33 -0800 (PST) (envelope-from nate@yogotech.com) Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA29482; Thu, 16 Jan 2003 13:08:24 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by emerger.yogotech.com (8.12.6/8.12.6) id h0GK8NLs067223; Thu, 16 Jan 2003 13:08:23 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15911.4406.897084.534733@emerger.yogotech.com> Date: Thu, 16 Jan 2003 13:08:22 -0700 To: Josh Brooks Cc: Terry Lambert , freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <20030116114531.G9642-100000@mail.econolodgetulsa.com> References: <3E2705AE.B7C3D835@mindspring.com> <20030116114531.G9642-100000@mail.econolodgetulsa.com> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Obviously, my goal is to mitigate as much as possible - I have accepted > that I cannot stop all DDoS - my question is, do serious people ever > attempt to do the mitigation/load shedding with a host-based firewall (in > this case fbsd+ipfw) ? Or would all serious people interested in > mitigating attacks use an appliance, like a netscreen ? Why don't use a freebsd firewall in-front of the host? That way, the freebsd box is acting like an appliance, and thus it 'filters' out the DDOS loads and as such leaves the host CPU free to server the DDOS attacks that make it past your appliance. This is what I do, and because my pipe is fairly small and my site is mostly unknown, the 486/66 box that I use has *way* more than enough power to deal with the simple task of filtering packets, since it has nothing else it needs to do. > I will say this - 9/10 attacks that hurt me do not do anything interesting > - in fact they are even low bandwidth (2-3 megabits/s) but they have a > packet/second rate that just eats up all my firewall cpu and no traffic > goes through - and as soon as the attack goes away the firewall is fine. Is your firewall also doing the WWW hosting? If so, then the amount of CPU it needs is much higher than a dedicated firewall. If it's eating up all the CPU and you're using a dedicated firewall, methinks that your rules need tweaking to 'optimize' them. It's *very* easy to generate firewall rules that work fine, but are very unoptimal when put under load. > So, I am looking at putting in more sophisticated traffic shaping > (limiting packets/s from each IP I have) and skipto rules to make the > ruleset more efficient ... but this is going to be a lot of work, and I > want to know if it is all just a waste because no matter how good I get at > a freebsd firewall, a netscreen 10 will always be better ? See above. A poorly configured netscreen will perform no better than a poorly equipped freebsd dedicated firewall. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message