Date: Sat, 28 Jun 2003 02:39:00 +0300 From: "PsYxAkIaS (FreeBSD)" <freebsd@psyxakias.com> To: <freebsd-isp@freebsd.org> Subject: Shell Provider - DDoS Attacks - IPFW Ratelimiting Message-ID: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com>
next in thread | raw e-mail | index | archive | help
Hello all, I currently administrate a shell provider that has several problems with = DDoS attacks. Most attacks are with infected botnets(I've seen even = 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports = and/or sometimes udp flood. Our connection is 10 mbps and we are = planning to move to 100 mbps. However I am trying to find some solutions = to limit the problem like cisco firewall or some special technical = support from the colocation isp (Internap) because sometimes attacks are = over 100 mbps like 300-350 mbps. =20 -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, = WHATEVER IT IS, I WILL APPRECIATE IT :) <--- Anyway, In order to slow down DDoS attacks we are thinking to set = ratelimit. I recompiled the kernel with DUMMYNET and I am running = something like the following: For example, to limit 400 kbps on 212.*: ---------------------------------------------------------- ipfw pipe 1 config bw 400kbit/s delay 50ms ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 I am planning to do the same for each A-Class (I know 400 kbit/s per = a-class is too slow but i am trying to help it that way), so even if the = attackers use 10 a-classes the max outgoing bandwidth will be at 4 mbps. My question is, there are also some other parameters on pipe that can = slow down a DDoS attack like queue, what would you suggest for it? I = found out that freebsd has hardlimit at 100 queue buffers and noticed = that some websites that show ethernet's limit of queue buffers is = 50-100. Can you explain me a little or give me a url on how it works? Or = give me your personal suggestions? And a last thing, I use right now tcpdump, trafshow, ipfm to trace the = source(attackers) and the destination(which one of my ips is attacked) = ips. Do you suggest any other tools to make my life easier? I will appreciate any public or private answer. Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ce01c33d05$4af86730$152ea8c0>