Date: Mon, 29 Aug 2005 20:31:38 -0400 From: "James Bowman Sineath, III" <sineathj1@citadel.edu> To: "vladone" <vladone@spaingsm.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: Re[4]: how to know if i'm under flood? Message-ID: <004201c5acfa$410b53b0$e697e19b@IBMTWAQPEF2DWZ> References: <1905744288.20050827224121@spaingsm.com><4310C64B.2060807@mkproductions.org><333541280.20050827235941@spaingsm.com><003201c5ab59$673d5940$030a000a@IBMTWAQPEF2DWZ> <1594562973.20050828195814@spaingsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Thanks for reply! > If u have more experience, please give some example about what sysctl > variable to set, There are a variety of them, I can give you a few examples of ones that I set but depending upon the attack and what it is targetting, they may proveto be ineffective. Keep in mind that there are a variety of different DoS attacks that target a variety of different services or protocols. Look at some of the following variables: net.inet.tcp.blackhole, net.inet.udp.blackhole,net.inet.icmp.drop_redirects, net.inet.icmp.log_redirects,net.link.ether.inet.max_age, net.inet.tcp.sendspace, net.inet.tcp.recvspace,net.inet.tcp.always_keepalive, kern.ipc.maxsockets, kern.ipc.maxsockbuf,net.inet.ip.rtexpire, net.inet.ip.rtminexpire, kern.ipc.somaxconn I don't want to tell you what to set the values to because many of them vary depending upon the type of attack, stats on the box and the purpose of the machine. There are also a variety of others you can use, those are just some examples. >and wich ipfw rules can prevent DoS. Keep in mind that denial of service attacks do not always come in the form of a flood. Often times it can be a few specially crafted packets that causes a service to crash or consume memory, so it is vital that you keep all of your software updated and watch for security advisories. I would advise you to read about the different types of firewalls available and choose one that fits the purpose of your machine. I would recommend setting up an inclusive firewall, you can read more on that in the handbook (there is an example ruleset there I believe). That being said, there isn't much you can do about floods. I never said that using a firewall would PREVENT denial of service attacks, I simply said that it would notify you when they were occuring. Also, be sure to setup your rules so that if you do get flooded, your logs won't fill up so quickly that it consumes your entire hard drive (set specific rules and use logamount x). If you are having a problem with floods then the only other thing you can do is have your ISP filter them out, the firewall rules on your box will prove to be ineffective against high bandwidth floods. Bow Sineath Class of 2006, the Citadel sineathj1@citadel.edu - bow.sineath@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004201c5acfa$410b53b0$e697e19b>