From owner-freebsd-isp Thu Jul 19 2:23:28 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smtpf.casema.net (smtpf.casema.net [195.96.96.173]) by hub.freebsd.org (Postfix) with SMTP id 6782637B405 for ; Thu, 19 Jul 2001 02:23:23 -0700 (PDT) (envelope-from walter@binity.com) Received: (qmail 7356 invoked by uid 0); 19 Jul 2001 09:23:21 -0000 Received: from unknown (HELO slash.b118.binity.net) (212.64.76.102) by smtpf.casema.net with SMTP; 19 Jul 2001 09:23:21 -0000 Received: from silver.b118.binity.net (silver.b118.binity.net [172.18.3.10]) by slash.b118.binity.net (Postfix) with ESMTP id 1D214151 for ; Thu, 19 Jul 2001 11:22:07 +0200 (CEST) Date: Thu, 19 Jul 2001 11:24:48 +0200 From: Walter Hop X-Mailer: The Bat! (v1.52f) Educational Organization: Binity X-Priority: 3 (Normal) Message-ID: <17810514298.20010719112448@binity.com> To: FreeBSD ISP Subject: What do you do about DoS attacks? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I am interested in your experience with good ACL's and tools to analyze and prevent DoS attacks, which pose a current problem for me. One of my machines, which is running ircd, has been the subject of frequent DoS attacks for the last few weeks. The box was unaffected until today -- our upstream is getting annoyed by the packets and now cuts off our line when under attack. So, that's an effective DoS we have there. :) There are no log entries of rate-limited ICMP packets. Our upstream's router stats only show that there is about 8Mb/s of traffic coming in, while the traffic on the outside drops (saturated pipe). They can't/do not want to give us information on the traffic, but they can block certain netblocks at the edge on our request. Given that there's probably not much to do about these attacks, I'd still like to: 1] see what types of packets cause the attack The colocated boxes on the subnet are hardly reachable when under attack, so I can't login to make an ad-hoc analysis of the traffic; I want to have a solid logging system in place before another attack occurs. I've replaced net.inet.*.blackhole by .log_in_vain to see if there is anything out of the usual during the attacks. I'd like to keep network dumps under heavy load. Logging all tcpdump output to a file all day would create gigantic file -- is there a tool which can do a (more or less intelligent) analysis of traffic and only log when a problem occurs? (For example, the queues get too large, or incoming traffic exceeds a certain limit) 2] (maybe) discover the origin of the attack The attacks all look the same, so I guess there is one person (or group) behind them. If the attackers are not too intelligent, the source addresses might not be spoofed. Does anyone have any pointers for tools or config options that could help me? [I have tried google and the archives, but did not find anything really valuable this morning..] thanks, walter -- Walter Hop | +31 6 24290808 | Finger for public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message