Date: Fri, 03 Apr 2020 08:51:50 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: dealing with DoS - practical tips & tools? Message-ID: <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com>
next in thread | raw e-mail | index | archive | help
yesterday I saw another mild DoS attack on our network. Typically we get UDP floods and similar generic attacks, and also websocket-specific "layer 7" attacks from random IPs. Typically a few applications go offline when sockets are exhausted, or when their rate limiting kicks in hard. Currently my setup is naive: - pf with manual blocklists as required - haproxy for layer7 blocklists - off-server logs indexed in graylog Which is pretty limited in both understanding what's happening *right now*, and also doing anything other than manual reaction to issues, *after* they impact users. Before we go full cloudflare or whatever, where DDoS protection which costs an arm and a leg, what do people recommend as the next open-source steps? I'd like a couple of features - better real-time visibility, and some some automation. perhaps: - last few hours of tcpdump level traffic, searchable in some form, off-server - something partially automated that can update pf & haproxy tables when Obviously Bad Things happen Are there any FreeBSD tools that people could recommend? Any tunables that help with resilience? A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb5105b4-78ab-4e6c-b4f6-70db867d690c>