From owner-freebsd-isp@FreeBSD.ORG Fri Jun 27 16:46:51 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8E7E37B401 for ; Fri, 27 Jun 2003 16:46:51 -0700 (PDT) Received: from alcatraz.wolfpaw.net (alcatraz.wolfpaw.net [204.209.44.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 16ABF43FBF for ; Fri, 27 Jun 2003 16:46:51 -0700 (PDT) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 23806 invoked by uid 0); 27 Jun 2003 23:46:49 -0000 Received: from unknown (HELO wolf) (216.123.201.128) by 0 with SMTP; 27 Jun 2003 23:46:49 -0000 From: "Wolfpaw - Dale Corse" To: "PsYxAkIaS (FreeBSD)" , Date: Fri, 27 Jun 2003 17:48:26 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> Subject: RE: Shell Provider - DDoS Attacks - IPFW Ratelimiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2003 23:46:52 -0000 Rate limiting won't help.. think of it this way.. you have a pipe that will take 10 gallons of water per minute.. if you add a valve so it can only do 6 gallons per minute, and there is 350 gallons per minute being poured down it.. it will still clog. Point is .. DDOS attacks don't care if you reply to the request, they will keep sending anyway, in fact most of them are designed to "pump it up" if you do respond. Rate limiting won't help you, all you can do really is have your upstream "black hole" the attacked ip range until it stops to try and cut down your bill. Just my 2 cents :) D. -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095 > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of > PsYxAkIaS (FreeBSD) > Sent: Friday, June 27, 2003 5:39 PM > To: freebsd-isp@freebsd.org > Subject: Shell Provider - DDoS Attacks - IPFW Ratelimiting > > > Hello all, > > I currently administrate a shell provider that has several > problems with DDoS attacks. Most attacks are with infected > botnets(I've seen even 5000+ ips) that use icmp or tcp > flood on 21/80/113(ftp/http/ident) ports and/or sometimes > udp flood. Our connection is 10 mbps and we are planning to > move to 100 mbps. However I am trying to find some > solutions to limit the problem like cisco firewall or some > special technical support from the colocation isp > (Internap) because sometimes attacks are over 100 mbps like > 300-350 mbps. > > -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS > ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <--- > > Anyway, In order to slow down DDoS attacks we are thinking > to set ratelimit. I recompiled the kernel with DUMMYNET and > I am running something like the following: > > For example, to limit 400 kbps on 212.*: > ---------------------------------------------------------- > ipfw pipe 1 config bw 400kbit/s delay 50ms > ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any > ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 > > I am planning to do the same for each A-Class (I know 400 > kbit/s per a-class is too slow but i am trying to help it > that way), so even if the attackers use 10 a-classes the > max outgoing bandwidth will be at 4 mbps. > > My question is, there are also some other parameters on > pipe that can slow down a DDoS attack like queue, what > would you suggest for it? I found out that freebsd has > hardlimit at 100 queue buffers and noticed that some > websites that show ethernet's limit of queue buffers is > 50-100. Can you explain me a little or give me a url on how > it works? Or give me your personal suggestions? > > And a last thing, I use right now tcpdump, trafshow, ipfm > to trace the source(attackers) and the destination(which > one of my ips is attacked) ips. Do you suggest any other > tools to make my life easier? > > I will appreciate any public or private answer. > > Thanks. > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" >