From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:07:15 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8A7C4A34; Sun, 10 Feb 2013 09:07:15 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s2.snt0.hotmail.com (snt0-omc3-s2.snt0.hotmail.com [65.55.90.141]) by mx1.freebsd.org (Postfix) with ESMTP id 5E663F78; Sun, 10 Feb 2013 09:07:14 +0000 (UTC) Received: from SNT002-W126 ([65.55.90.137]) by snt0-omc3-s2.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:06:08 -0800 X-EIP: [V5O1ikLSc7w6TQ6IZAaxFsHylyZbkOS/] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:06:07 +0100 Importance: Normal In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:06:08.0392 (UTC) FILETIME=[DD2DD080:01CE076D] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:07:15 -0000 Hello=2C Kevin=2C thank You for the information. > FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I = am unsure of your connection I cannot recommend specifics. However=2C it is= best to configure polling=2C tweak sysctl (buffers/sockets/etc)=2C install= pf or ipfw and do some straight forward deny/allow + source spoof settings= . >=20 > Above all=2C don't go overboard with firewall configuration. People often= try to do far too much tracking/packet rate limiting=2C etc. It just burns= up free resources. > Let me tell You a bit about my setup. All my connections to ISP's are 1Giga= bit each. They are terminated on a my switch=2C and the router is connected to that s= witch. =20 > Deny all ICMP (drop I mean) and UDP except where specifically required. Is droping ICMP really helpful? I can limit ICMP only to my monitoring host= - that is no problem. =20 > And just do general hardening... Get yourself a static IP or VPN. Deny al= l console/ssh access except to that IP. Same here=2C a simple host deny wil= l satisfy this need. > This is already done. I also have out of band management to my router over = a different network connection. If all my ISP's fail I can still connect to= that router. =20 > The less you do with the firewall (routing/blocking/inspecting) the bette= r. >=20 > Drop drop drop =3B) >=20 > In the end=2C proper tuning with a good Intel NIC and you can saturate a = 1Gbps connection with legit traffic and block most high PPS floods as long = as they don't saturate the link. > I have the following ethernet cards in my router: device =3D '82579LM Gigabit Network Connection' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82571EB Gigabit Ethernet Controller' device =3D '82574L Gigabit Network Connection' =20 but at this moment I use only the 82571EB model. > I have ran similar configurations in 10Gbps scenarios and there are certa= inly limitations even in 1Gbps cases... Though=2C you can't plan for everyt= hing - the best you can do is be prepared for the majority of general UDP/I= CMP/TCP SYN or service specific attacks like SSH/FTP=2C etc. > At this moment an attack on 80 port kills my network connection with the nu= mber of PPS. 200000 is reached in a second and the router can't proccess an= y new connections. > I'm actually at dinner so I apologize for the lack of further detail. I'm= not even certain this makes sense but hopefully it helps. > There is nothing to apologize for - You are most helpful. =20 > I have my configs which I can send by tomorrow if needed. (For examples) >=20 That would be great. All best=2C Jim =