From owner-freebsd-isp@FreeBSD.ORG Sat Jun 28 07:28:54 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80EBF37B401 for ; Sat, 28 Jun 2003 07:28:54 -0700 (PDT) Received: from flash.mipk-kspu.kharkov.ua (flash.mipk-kspu.kharkov.ua [194.44.157.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8749D43FA3 for ; Sat, 28 Jun 2003 07:28:48 -0700 (PDT) (envelope-from artem@mipk-kspu.kharkov.ua) Received: from mipk-kspu.kharkov.ua (aws.aws-net.org.ua [192.168.32.1]) h5SEQW4N035560; Sat, 28 Jun 2003 17:26:36 +0300 (EEST) (envelope-from artem@mipk-kspu.kharkov.ua) Message-ID: <3EFDA5A2.4020707@mipk-kspu.kharkov.ua> Date: Sat, 28 Jun 2003 17:26:42 +0300 From: "Artyom V. Viklenko" Organization: IIAT NTU "KhPI" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: "PsYxAkIaS (FreeBSD)" References: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> In-Reply-To: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jun 2003 14:28:54 -0000 PsYxAkIaS (FreeBSD) wrote: > Hello all, > > I currently administrate a shell provider that has several problems with DDoS attacks. Most attacks are with infected botnets(I've seen even 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports and/or sometimes udp flood. Our connection is 10 mbps and we are planning to move to 100 mbps. However I am trying to find some solutions to limit the problem like cisco firewall or some special technical support from the colocation isp (Internap) because sometimes attacks are over 100 mbps like 300-350 mbps. > > -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <--- > > Anyway, In order to slow down DDoS attacks we are thinking to set ratelimit. I recompiled the kernel with DUMMYNET and I am running something like the following: > > For example, to limit 400 kbps on 212.*: > ---------------------------------------------------------- > ipfw pipe 1 config bw 400kbit/s delay 50ms > ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any > ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 > You can try to use 'limit src-addr n' in ipfw rules. n is a number of concurent connections from single ip address. It is very usefull with statefull filtering. Hope this helps in case of TCP-based attacks such as SYN-flood.