From owner-freebsd-questions@FreeBSD.ORG Tue Aug 30 00:32:18 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B46916A41F for ; Tue, 30 Aug 2005 00:32:18 +0000 (GMT) (envelope-from sineathj1@citadel.edu) Received: from citadel.edu (mail.CITADEL.EDU [155.225.6.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A21C43D4C for ; Tue, 30 Aug 2005 00:32:17 +0000 (GMT) (envelope-from sineathj1@citadel.edu) Received: from [155.225.151.230] (HELO IBMTWAQPEF2DWZ) by citadel.edu (CommuniGate Pro SMTP 4.2.8) with SMTP id 53220076; Mon, 29 Aug 2005 20:35:19 -0400 Message-ID: <004201c5acfa$410b53b0$e697e19b@IBMTWAQPEF2DWZ> From: "James Bowman Sineath, III" To: "vladone" , "FreeBSD Questions" References: <1905744288.20050827224121@spaingsm.com><4310C64B.2060807@mkproductions.org><333541280.20050827235941@spaingsm.com><003201c5ab59$673d5940$030a000a@IBMTWAQPEF2DWZ> <1594562973.20050828195814@spaingsm.com> Date: Mon, 29 Aug 2005 20:31:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: Re[4]: how to know if i'm under flood? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 00:32:18 -0000 > Thanks for reply! > If u have more experience, please give some example about what sysctl > variable to set, There are a variety of them, I can give you a few examples of ones that I set but depending upon the attack and what it is targetting, they may proveto be ineffective. Keep in mind that there are a variety of different DoS attacks that target a variety of different services or protocols. Look at some of the following variables: net.inet.tcp.blackhole, net.inet.udp.blackhole,net.inet.icmp.drop_redirects, net.inet.icmp.log_redirects,net.link.ether.inet.max_age, net.inet.tcp.sendspace, net.inet.tcp.recvspace,net.inet.tcp.always_keepalive, kern.ipc.maxsockets, kern.ipc.maxsockbuf,net.inet.ip.rtexpire, net.inet.ip.rtminexpire, kern.ipc.somaxconn I don't want to tell you what to set the values to because many of them vary depending upon the type of attack, stats on the box and the purpose of the machine. There are also a variety of others you can use, those are just some examples. >and wich ipfw rules can prevent DoS. Keep in mind that denial of service attacks do not always come in the form of a flood. Often times it can be a few specially crafted packets that causes a service to crash or consume memory, so it is vital that you keep all of your software updated and watch for security advisories. I would advise you to read about the different types of firewalls available and choose one that fits the purpose of your machine. I would recommend setting up an inclusive firewall, you can read more on that in the handbook (there is an example ruleset there I believe). That being said, there isn't much you can do about floods. I never said that using a firewall would PREVENT denial of service attacks, I simply said that it would notify you when they were occuring. Also, be sure to setup your rules so that if you do get flooded, your logs won't fill up so quickly that it consumes your entire hard drive (set specific rules and use logamount x). If you are having a problem with floods then the only other thing you can do is have your ISP filter them out, the firewall rules on your box will prove to be ineffective against high bandwidth floods. Bow Sineath Class of 2006, the Citadel sineathj1@citadel.edu - bow.sineath@gmail.com