From owner-freebsd-pf@FreeBSD.ORG Sun Nov 9 20:35:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB23C106567E for ; Sun, 9 Nov 2008 20:35:45 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id AAD828FC14 for ; Sun, 9 Nov 2008 20:35:45 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 471281FF00B0; Sun, 9 Nov 2008 15:07:01 -0500 (EST) thread-index: AclCproic1H3H2xkRc+E6oTYAgMQeQ== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Nov 2008 15:07:00 -0500 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 5EAD98E29E; Sun, 9 Nov 2008 14:07:00 -0600 (CST) Date: Sun, 9 Nov 2008 14:07:00 -0600 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: "Elvir Kuric" Content-Class: urn:content-classes:message Importance: normal Message-ID: <20081109200659.GA8477@verio.net> Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168 Mail-Followup-To: Elvir Kuric , freebsd-pf@freebsd.org References: <1814bfe70811090137v39cd6434l49b545eb3b6eb88c@mail.gmail.com> <20081109112125.GA36707@icarus.home.lan> <1814bfe70811090544o28c29c5u185e3c0f2b8e85b4@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <1814bfe70811090544o28c29c5u185e3c0f2b8e85b4@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 09 Nov 2008 20:07:01.0096 (UTC) FILETIME=[BA18C680:01C942A6] Cc: freebsd-pf@freebsd.org Subject: Re: Blocking udp flood trafiic using pf, hints welcome X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Nov 2008 20:35:46 -0000 Elvir Kuric wrote: > > I absolutely agree with you regarding logging, and I do not practice > this, only logging specific data. The biggest problem with this DoS > attacks ( udp floods ) is, processor must spend some time on packet > arrive ( even dropping will take some processor power ). You may want to consider adding "keep state" to your "block log" rules. If you keep state on the blocked packets, only the first packet that is blocked will get logged; the others will be blocked statefully without consulting the rulebase, which may save some processing time. Note that "keep state" is only implicit on "pass" rules, you must add it on "block" rules. > No IRC is present here, or similar staff it is just firewal/router > runing at the edge of internal network. > > Also on machines in internal network there is not some, "interesting " > stuff. I suppose what you mean is "No IRC is present here" that you know of. A nefarious hacker can actually install these tools in ways that you are not aware of, and this is often the cause of any DOS attacks you receive. I agree with the above, DOS attacks do not typically happen without reason. There is probably a reason that your system is coming under attack, and you need to do some real forensic examination to make sure that your systems (all of them, the ones that forward traffic through this BSD gateway of yours) are clean and not doing anything they shouldn't be. It's easy to say that you did not set up anything bad on your systems, but can you really say with certainty that no one has broken into your systems and installed something you don't know about? -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.