Date: Sun, 10 Feb 2013 10:06:07 +0100 From: James Howlett <jim.howlett@outlook.com> To: "khatfield@socllc.net" <khatfield@socllc.net> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: FreeBSD DDoS protection Message-ID: <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl> In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello=2C
Kevin=2C thank You for the information.
> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I =
am unsure of your connection I cannot recommend specifics. However=2C it is=
best to configure polling=2C tweak sysctl (buffers/sockets/etc)=2C install=
pf or ipfw and do some straight forward deny/allow + source spoof settings=
.
>=20
> Above all=2C don't go overboard with firewall configuration. People often=
try to do far too much tracking/packet rate limiting=2C etc. It just burns=
up free resources.
>
Let me tell You a bit about my setup. All my connections to ISP's are 1Giga=
bit each.
They are terminated on a my switch=2C and the router is connected to that s=
witch.
=20
> Deny all ICMP (drop I mean) and UDP except where specifically required.
Is droping ICMP really helpful? I can limit ICMP only to my monitoring host=
- that is no problem.
=20
> And just do general hardening... Get yourself a static IP or VPN. Deny al=
l console/ssh access except to that IP. Same here=2C a simple host deny wil=
l satisfy this need.
>
This is already done. I also have out of band management to my router over =
a different network connection. If all my ISP's fail I can still connect to=
that router.
=20
> The less you do with the firewall (routing/blocking/inspecting) the bette=
r.
>=20
> Drop drop drop =3B)
>=20
> In the end=2C proper tuning with a good Intel NIC and you can saturate a =
1Gbps connection with legit traffic and block most high PPS floods as long =
as they don't saturate the link.
>
I have the following ethernet cards in my router:
device =3D '82579LM Gigabit Network Connection'
device =3D '82571EB Gigabit Ethernet Controller'
device =3D '82571EB Gigabit Ethernet Controller'
device =3D '82574L Gigabit Network Connection'
=20
but at this moment I use only the 82571EB model.
> I have ran similar configurations in 10Gbps scenarios and there are certa=
inly limitations even in 1Gbps cases... Though=2C you can't plan for everyt=
hing - the best you can do is be prepared for the majority of general UDP/I=
CMP/TCP SYN or service specific attacks like SSH/FTP=2C etc.
>
At this moment an attack on 80 port kills my network connection with the nu=
mber of PPS. 200000 is reached in a second and the router can't proccess an=
y new connections.
> I'm actually at dinner so I apologize for the lack of further detail. I'm=
not even certain this makes sense but hopefully it helps.
>
There is nothing to apologize for - You are most helpful.
=20
> I have my configs which I can send by tomorrow if needed. (For examples)
>=20
That would be great.
All best=2C
Jim
=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT002-W126C067EAA248C592EBB424E50B0>