Date: Mon, 6 Jan 2003 03:56:51 +0300 (MSK) From: "."@babolo.ru To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Lars Eggert <larse@ISI.EDU>, freebsd-net@FreeBSD.ORG Subject: Re: Need help dealing with (D)DoS attacks (desperately) Message-ID: <200301060056.h060uq2J046966@aaz.links.ru> In-Reply-To: <20030105132545.I80512-100000@mail.econolodgetulsa.com>
index | next in thread | previous in thread | raw e-mail
>
> Hello,
>
> Ok, right now this second, everything is normal, I am not under attack
> AFAIK, and everything is working wonderfully - and when I run top I see:
>
> 21 processes: 1 running, 20 sleeping
> CPU states: 0.0% user, 0.0% nice, 0.0% system, 41.7% interrupt, 58.3%
> idle
> Mem: 6812K Active, 43M Inact, 28M Wired, 28K Cache, 35M Buf, 170M Free
> Swap: 128M Total, 128M Free
>
> and it fluctuates between 20-60% idle
>
> So it does look like the cpu is ... being used :) uptime tells me:
>
> # uptime
> 1:22PM up 20 days, 11:52, 2 users, load averages: 0.02, 0.01, 0.00
>
> -----
>
> ipfw rules:
>
> # ipfw show | wc -l
> 927
>
> So, I have 927 ipfw tules in place - but I am guessing that about 800 of
> those rules are just "count" rules for me to count bandwidth:
>
> 001 164994 120444282 count ip from any to 10.10.10.10
> 002 158400 16937232 count ip from 10.10.10.10 to any
>
> ------
>
> CPU is a ... celeron 500 ? 600 ? Something like that, and I have 256
> megs ram.
>
> More infomration: although it looks like I am using a lot of cpu, and do
> indeed have a lot of ipfw rules, I _do know_ that it was an attack, as it
> was aimed at IPs running very high profile services (ircd, etc.) that have
> been targets in the past. We filtered those IPs and the problem went away
> instantly.
I administrate big (~1000 users each) nets.
Without such a rules at the begin ipwf ruleset:
02300 96121 77175703 pipe 2300 ip from X.X.X.X/24 to any in recv xl1
02300 26528 17986211 pipe 2300 ip from Y.Y.Y.Y/24 to any in recv xl3
02300 27044 21370476 pipe 2300 ip from Z.Z.Z.Z/24 to any in recv xl4
router was unstable because of great number of rules: <*1>
Pipes restricts per IP address, in my case: <*2>
!Place pipe rules at the ruleset begin to protect
your router from flood!
Another tips:
Remember, that routed packets goes through
the ruleset twice, write rules to optimize
CPU usage.
Use special tools to collect traffic.
I use argus - it is beautiful trafic
auditing tool and costs less cpu.
It behavies better under overload
because of much work done in userland.
Sorry my bad English.
Ask when need help.
--
<*1>
0sw~(1)#ipfw show | wc
435 4868 41602
0rw~(1)#ipfw show | wc
1917 19228 153479
0gw~(1)#ipfw show | wc
317 3480 34721
So on.
Some rules are very wide (ipfw2 specific)
<*2>
0kw~(1)#ipfw pipe show
02300: 3.200 Mbit/s 0 ms 30 KB 44 queues (1024 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
.... different pipes for different user classes
In your case you probably need in another direction tube:
0x00000000/0x0000 -> 0xffffffff/0x0000
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301060056.h060uq2J046966>