From owner-freebsd-hackers Thu Jan 16 14:32:13 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5495637B401 for ; Thu, 16 Jan 2003 14:32:12 -0800 (PST) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id D516043F65 for ; Thu, 16 Jan 2003 14:32:09 -0800 (PST) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 843C51005F; Thu, 16 Jan 2003 14:32:03 -0800 (PST) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with ESMTP id 6B9AEAA8F; Thu, 16 Jan 2003 14:31:58 -0800 (PST) Message-ID: <3E2732DE.2020306@pantherdragon.org> Date: Thu, 16 Jan 2003 14:31:58 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Josh Brooks Cc: Terry Lambert , freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116114531.G9642-100000@mail.econolodgetulsa.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Josh Brooks wrote: > Thank you for that advice - it is very well taken. > > Obviously, my goal is to mitigate as much as possible - I have accepted > that I cannot stop all DDoS - my question is, do serious people ever > attempt to do the mitigation/load shedding with a host-based firewall (in > this case fbsd+ipfw) ? Or would all serious people interested in > mitigating attacks use an appliance, like a netscreen ? > > I will say this - 9/10 attacks that hurt me do not do anything interesting > - in fact they are even low bandwidth (2-3 megabits/s) but they have a > packet/second rate that just eats up all my firewall cpu and no traffic > goes through - and as soon as the attack goes away the firewall is fine. > > So, I am looking at putting in more sophisticated traffic shaping > (limiting packets/s from each IP I have) and skipto rules to make the > ruleset more efficient ... but this is going to be a lot of work, and I > want to know if it is all just a waste because no matter how good I get at > a freebsd firewall, a netscreen 10 will always be better ? That depends on what you're asking of the machine. The routing information that will need to be held is the biggest one I can see, since the netscreens have defined limits. A FreeBSD box, in theory, doesn't have these limitations. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message