Date: Sat, 28 Jun 2003 17:26:42 +0300 From: "Artyom V. Viklenko" <artem@mipk-kspu.kharkov.ua> To: "PsYxAkIaS (FreeBSD)" <freebsd@psyxakias.com> Cc: freebsd-isp@freebsd.org Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting Message-ID: <3EFDA5A2.4020707@mipk-kspu.kharkov.ua> In-Reply-To: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> References: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com>
next in thread | previous in thread | raw e-mail | index | archive | help
PsYxAkIaS (FreeBSD) wrote: > Hello all, > > I currently administrate a shell provider that has several problems with DDoS attacks. Most attacks are with infected botnets(I've seen even 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports and/or sometimes udp flood. Our connection is 10 mbps and we are planning to move to 100 mbps. However I am trying to find some solutions to limit the problem like cisco firewall or some special technical support from the colocation isp (Internap) because sometimes attacks are over 100 mbps like 300-350 mbps. > > -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <--- > > Anyway, In order to slow down DDoS attacks we are thinking to set ratelimit. I recompiled the kernel with DUMMYNET and I am running something like the following: > > For example, to limit 400 kbps on 212.*: > ---------------------------------------------------------- > ipfw pipe 1 config bw 400kbit/s delay 50ms > ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any > ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 > You can try to use 'limit src-addr n' in ipfw rules. n is a number of concurent connections from single ip address. It is very usefull with statefull filtering. Hope this helps in case of TCP-based attacks such as SYN-flood.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EFDA5A2.4020707>