Date: Mon, 15 Jun 2009 16:56:45 -0500 From: "Gary Gatten" <Ggatten@waddell.com> To: "Doug Hardie" <bc979@lafn.org>, "freebsd-questions -" <freebsd-questions@freebsd.org> Subject: RE: pf vs null route Message-ID: <70C0964126D66F458E688618E1CD008A0793EFB6@WADPEXV0.waddell.com> In-Reply-To: <1B37C3FB-1D82-4E8D-827D-D1391373C450@lafn.org> References: <1B37C3FB-1D82-4E8D-827D-D1391373C450@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, that's more "black holing" than null routing, but regardless, routing will always be "faster" / less cpu intensive than L4+ filtering. Unless of course the rules are compiled and executed in an Asic like Ci$co does. Anyway, whether or not the processing latency is noticeable to the users only time will tell. This is a never ending battle. Force your users to make stronger passwords and implement an automated password recovery process for them. Your webserver SHOULD be able to blacklist IP's that do bad things automatically as well. If you have another "good" solution let me know. With all the spoofing, bots, etc. - it's VERY difficult to block access without causing problems for legitimate users. One thing pf would allow is a sort of "tar pit" / rate limiting vs. 100% block like a black-hole. This way if you accidentally trigger an "enforce" action on a legit user, the'll just run slow for a little while instead of being blocked entirely. G -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Doug Hardie Sent: Monday, June 15, 2009 4:47 PM To: freebsd-questions - Subject: pf vs null route My web server is always being attacked by people trying to guess our=20=20 user's passwords. Most of the time the ids they try are not in use so=20= =20 there is only a log entry and a bit of packet time involved. However,=20= =20 eventually they are likely to guess a valid id and password. Some of=20=20 our users have very weak passwords. Granted they will only be able to=20= =20 get to the user's personal web space, but that would be inconvenient=20=20 for the user. For a long time I have been using null routes for the persistent=20=20 attacks (set a route of 127.0.0.2 for their adddress in the route=20=20 table). This works fine. We still get the first SYN packet, but=20=20 nothing after that. I do have pf running on several of our servers=20=20 for other purposes and have been thinking about replacing the null=20=20 routes with a blocking table using pf. The question is which scales=20=20 better? My guess based on presumed implementation techniques is that=20=20 pf will scale better. I currently have a table for incoming mail that=20= =20 has over 100K entries and there is no noticable effect on mail=20=20 processing times. Unfortunately I can't tell if that is because I=20=20 also don't have any good way to determine if there were any effects.=20=20= =20 pf would certainly provide additional capabilites, but given the=20=20 limited use of this server, I don't see any need for anything more.=20=20= =20 Since we provide telnet and ftp access for users to their personal web=20= =20 pages, I keep anything important on another server. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" <font size=3D"1"> <div style=3D'border:none;border-bottom:double windowtext 2.25pt;padding:0i= n 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70C0964126D66F458E688618E1CD008A0793EFB6>