From owner-freebsd-isp@FreeBSD.ORG Fri Jun 27 16:39:06 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B32F837B401 for ; Fri, 27 Jun 2003 16:39:06 -0700 (PDT) Received: from web1.subnetmask.net (web1.subnetmask.net [207.44.145.30]) by mx1.FreeBSD.org (Postfix) with SMTP id D085543FD7 for ; Fri, 27 Jun 2003 16:39:05 -0700 (PDT) (envelope-from freebsd@psyxakias.com) Received: (qmail 29630 invoked from network); 27 Jun 2003 23:39:04 -0000 Received: from athei53-a-003.otenet.gr (HELO computer) (62.103.210.3) by bofh.reverse.net with SMTP; 27 Jun 2003 23:39:04 -0000 Message-ID: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> From: "PsYxAkIaS (FreeBSD)" To: Date: Sat, 28 Jun 2003 02:39:00 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Content-Type: text/plain; charset="iso-8859-7" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Shell Provider - DDoS Attacks - IPFW Ratelimiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2003 23:39:07 -0000 Hello all, I currently administrate a shell provider that has several problems with = DDoS attacks. Most attacks are with infected botnets(I've seen even = 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports = and/or sometimes udp flood. Our connection is 10 mbps and we are = planning to move to 100 mbps. However I am trying to find some solutions = to limit the problem like cisco firewall or some special technical = support from the colocation isp (Internap) because sometimes attacks are = over 100 mbps like 300-350 mbps. =20 -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, = WHATEVER IT IS, I WILL APPRECIATE IT :) <--- Anyway, In order to slow down DDoS attacks we are thinking to set = ratelimit. I recompiled the kernel with DUMMYNET and I am running = something like the following: For example, to limit 400 kbps on 212.*: ---------------------------------------------------------- ipfw pipe 1 config bw 400kbit/s delay 50ms ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 I am planning to do the same for each A-Class (I know 400 kbit/s per = a-class is too slow but i am trying to help it that way), so even if the = attackers use 10 a-classes the max outgoing bandwidth will be at 4 mbps. My question is, there are also some other parameters on pipe that can = slow down a DDoS attack like queue, what would you suggest for it? I = found out that freebsd has hardlimit at 100 queue buffers and noticed = that some websites that show ethernet's limit of queue buffers is = 50-100. Can you explain me a little or give me a url on how it works? Or = give me your personal suggestions? And a last thing, I use right now tcpdump, trafshow, ipfm to trace the = source(attackers) and the destination(which one of my ips is attacked) = ips. Do you suggest any other tools to make my life easier? I will appreciate any public or private answer. Thanks.