Date: Sun, 10 Feb 2013 16:08:21 -0500 From: Charles Sprickman <spork@bway.net> To: James Howlett <jim.howlett@outlook.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "khatfield@socllc.net" <khatfield@socllc.net> Subject: Re: FreeBSD DDoS protection Message-ID: <B11630F5-942D-4EF8-882F-425A9DE532C9@bway.net> In-Reply-To: <SNT002-W1380F7374490A81B4439EDEE50B0@phx.gbl> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>, <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> <SNT002-W1380F7374490A81B4439EDEE50B0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 10, 2013, at 4:42 AM, James Howlett wrote: > Hello, >=20 >=20 >> I think you'll get some better input if you address some of what = Kevin noted above. What firewall (if any) is in place? What rules are = currently in place? What tuning have you done so far? Is polling = enabled? >=20 > 1. I use pf on the router. > 2. My setup looks like this = ISP---switch---FreeBSD_router---Juniper_firewall =20 > So as long as my router can proccess the traffic I'll can manage all = the rest (eg. customer firewalls, zoning etc) on my Juniper hardware. > 3. The rules at the moment just filter SSH connections to the router.=20= > 4. I'm looking into enabling pooling, but I need to test it before it = goes to production. >=20 >=20 >>=20 >> When you get hit, you mentioned it's 200K pps, how much bandwidth? = How many different source IPs? >=20 > Hard to say at the moment, but it was a DDoS for sure. Multiple hosts = connecting to one single port on a single machine. >=20 >> I know on a "real" router, having Netflow configured and dumping info = to a host for analysis is very helpful - I can at least see what's being = targetted and ask my upstreams to null route the attacked IP at their = edges. I don't know if there's a good netflow exporter available for = FreeBSD that won't hurt more than it helps. >=20 > I can collect sFlow from my switch so that should do it. What software = would You recomend for netflow analysis? I'm not sure I can recommend it, because it's quite old, but I use = flow-tools and just query on the command line for top X destinations - = inevitably, even if the old Cisco is tanking from the load, it's able to = spit out enough info to give me an idea of what's being targetted. I'm probably going to move to nfsen/nfdump, as that seems to be the = modern solution: http://nfsen.sourceforge.net/ >=20 > Jim > =20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B11630F5-942D-4EF8-882F-425A9DE532C9>