Date: Thu, 16 Jan 2003 14:31:58 -0800 From: Darren Pilgrim <dmp@pantherdragon.org> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Terry Lambert <tlambert2@mindspring.com>, freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E2732DE.2020306@pantherdragon.org> References: <20030116114531.G9642-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Brooks wrote: > Thank you for that advice - it is very well taken. > > Obviously, my goal is to mitigate as much as possible - I have accepted > that I cannot stop all DDoS - my question is, do serious people ever > attempt to do the mitigation/load shedding with a host-based firewall (in > this case fbsd+ipfw) ? Or would all serious people interested in > mitigating attacks use an appliance, like a netscreen ? > > I will say this - 9/10 attacks that hurt me do not do anything interesting > - in fact they are even low bandwidth (2-3 megabits/s) but they have a > packet/second rate that just eats up all my firewall cpu and no traffic > goes through - and as soon as the attack goes away the firewall is fine. > > So, I am looking at putting in more sophisticated traffic shaping > (limiting packets/s from each IP I have) and skipto rules to make the > ruleset more efficient ... but this is going to be a lot of work, and I > want to know if it is all just a waste because no matter how good I get at > a freebsd firewall, a netscreen 10 will always be better ? That depends on what you're asking of the machine. The routing information that will need to be held is the biggest one I can see, since the netscreens have defined limits. A FreeBSD box, in theory, doesn't have these limitations. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2732DE.2020306>