Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Apr 2020 11:00:28 -0400
From:      David Mehler <dave.mehler@gmail.com>
To:        Dave Cottlehuber <dch@skunkwerks.at>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: dealing with DoS - practical tips & tools?
Message-ID:  <CAPORhP45qLHf0WiEGHEpXAeBcki=-5xXXB1ij0LCLs2N0S_MBg@mail.gmail.com>
In-Reply-To: <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com>
References:  <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

Where do you get your pf blocklists from?

As for an idea try fail2ban see if that helps.

Hth
Dave.


On 4/3/20, Dave Cottlehuber <dch@skunkwerks.at> wrote:
> yesterday I saw another mild DoS attack on our network. Typically we get UDP
> floods and similar generic attacks, and also websocket-specific "layer 7"
> attacks from random IPs.
>
> Typically a few applications go offline when sockets are exhausted, or when
> their rate limiting kicks in hard.
>
> Currently my setup is naive:
>
> - pf with manual blocklists as required
> - haproxy for layer7 blocklists
> - off-server logs indexed in graylog
>
> Which is pretty limited in both understanding what's happening *right now*,
> and also doing anything other than manual reaction to issues, *after* they
> impact users.
>
> Before we go full cloudflare or whatever, where DDoS protection which costs
> an arm and a leg, what do people recommend as the next open-source steps?
>
> I'd like a couple of features - better real-time visibility, and some some
> automation.
>
> perhaps:
>
> - last few hours of tcpdump level traffic, searchable in some form,
> off-server
>
> - something partially automated that can update pf & haproxy tables when
> Obviously Bad Things happen
>
> Are there any FreeBSD tools that people could recommend? Any tunables that
> help with resilience?
>
> A+
> Dave
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP45qLHf0WiEGHEpXAeBcki=-5xXXB1ij0LCLs2N0S_MBg>