From owner-freebsd-questions@freebsd.org Fri Apr 3 15:36:51 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 32D0A2A66CF for ; Fri, 3 Apr 2020 15:36:51 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48v3v86LY7z3M6P for ; Fri, 3 Apr 2020 15:36:36 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C1C865C0309; Fri, 3 Apr 2020 11:36:29 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute4.internal (MEProxy); Fri, 03 Apr 2020 11:36:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=XVAv/fQJJyr6Hc2/Z0ji87qmzQbHY0T 5Pu+O6iCOsLU=; b=iuiw8WtaiNlkU/hqslf3aZxtgO7hlXgJ7K8cXqwmcKVhWpI tk0VFjgGX5Ufqsxiy9kbSc4tayhQjdXCkdlUO2nvanU/jVED2mMM5D5GPin7+faP doSzppezmLsXhlIy4hJ5yJYlicy/9eIbnBNvan8jju7WbIrBCZ4dceFogHpwkHQ6 0b8Px/A7il7OWLbDGjXdWhk2ueNsspJq2abZm9AuRj0RLKw0pzV44IzyeKL4QsM0 JvBu10PaNLlhiTQXUtOyforNng/fEl0topONPS4x1bDmojuabks6FpTyEKTLkkDy 2jfEU5oudpaZfDRIg2SkndJLMUBps+4o1IY7mWg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=XVAv/f QJJyr6Hc2/Z0ji87qmzQbHY0T5Pu+O6iCOsLU=; b=z8L8WV1LiBGLqIsK66fFSH WnIgvAvkU2XkNdk0/IiQO7X6aPkHaC0byvHCbLVpnmI8RG3/bLFL9lgC+1lnR/fr MrRppItlUhCSXEWOKs3VTYPouczz1eHTAidvIHbtl37hWP80xT6o722bxRooQrmm uOjneQp3fgw8+4KbphLBEhnAOW2jWWpHYhCMneDBzi9AvQk+j20bqgNpuWNWzEj2 Rh6zLiK97kkYeXrVR+o3TFzQRALSqO9ua07UMDFCYGp8YVRXCHrPsg9lyYbJtVmx xiBHR1navdTIQsmn7voQLrwxXS0G47oQArV2LSdbkr85fbXGsF30ZGkFhNYx/M9g == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrtdeigdeltdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffgrvhgv ucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenuc ffohhmrghinheprghmrgiiohhnrgifshdrtghomhenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrght X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5E26514036F; Fri, 3 Apr 2020 11:36:29 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-1082-g13d7805-fmstable-20200403v1 Mime-Version: 1.0 Message-Id: <495fcc41-5ff0-4ebe-8157-1f079675a9c5@www.fastmail.com> In-Reply-To: References: Date: Fri, 03 Apr 2020 15:36:08 +0000 From: "Dave Cottlehuber" To: "David Mehler" , freebsd-questions Subject: Re: dealing with DoS - practical tips & tools? Content-Type: text/plain X-Rspamd-Queue-Id: 48v3v86LY7z3M6P X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=iuiw8Wta; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=z8L8WV1L; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.27 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-4.08 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-3.49)[ip: (-9.84), ipnet: 66.111.4.0/24(-4.89), asn: 11403(-2.69), country: US(-0.05)]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_IN_DNSWL_LOW(-0.10)[27.4.111.66.list.dnswl.org : 127.0.5.1]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_WWW(0.50)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2020 15:36:51 -0000 > On 4/3/20, Dave Cottlehuber wrote: > > yesterday I saw another mild DoS attack on our network. Typically we get UDP > > floods and similar generic attacks, and also websocket-specific "layer 7" > > attacks from random IPs. > On Fri, 3 Apr 2020, at 15:00, David Mehler wrote: > Hello, > > Where do you get your pf blocklists from? Hi David, funnily enough this pretty much nailed the layer7 stuff -- for the moment: curl -#L \ https://ip-ranges.amazonaws.com/ip-ranges.json \ | jq -reC '.prefixes[].ip_prefix, .ipv6_prefixes[].ipv6_prefix' \ | sort \ | uniq \ > /etc/pf.amazon > As for an idea try fail2ban see if that helps. That might be a bit tricky as not a lot of this is HTTP traffic, and logs are not local to the box, but yes this is worth a look too. Perhaps I can get info via pflog and feed this in as well. I've found zeek as well, suricata, & will see if I can get anything useful out of graylog which we already have in place. A+ Dave