From owner-freebsd-questions@FreeBSD.ORG Wed May 28 14:05:25 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A8D31065672 for ; Wed, 28 May 2008 14:05:25 +0000 (UTC) (envelope-from jos@webrz.net) Received: from webrz.xs4all.nl (webrz.xs4all.nl [82.95.248.216]) by mx1.freebsd.org (Postfix) with ESMTP id D51438FC20 for ; Wed, 28 May 2008 14:05:24 +0000 (UTC) (envelope-from jos@webrz.net) Received: from webrz.xs4all.nl (localhost.webrz.net [127.0.0.1]) by webrz.xs4all.nl (Postfix) with ESMTP id 56FCAFD06C for ; Wed, 28 May 2008 16:06:07 +0200 (CEST) Received: from [10.10.10.27] (atlantis.webrz.net [10.10.10.27]) by webrz.xs4all.nl (Postfix) with ESMTP id 2DB3BFD06A for ; Wed, 28 May 2008 16:06:06 +0200 (CEST) Message-ID: <483D66A2.8070908@webrz.net> Date: Wed, 28 May 2008 16:05:22 +0200 From: Jos Chrispijn User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <483CB6F3.5040505@muliahost.com> In-Reply-To: <483CB6F3.5040505@muliahost.com> Content-Type: text/plain; charset=EUC-KR Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP @ prometheus.webrz.net Subject: Re: Survive from DDoS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2008 14:05:25 -0000 Kalpin Erlangga Silaen wrote: > yesterday, our shell server was attack and server immeditiately reboot. > I checked logs, it likes UDP flood with destination port 53. Is there > any way how to survive from this kind attack? (i) Do a "grep 53 /etc/services" and search for ports 53 on both tcp and udp. Use tcpdump to examine the traffic to see if you can find out what is making the requests. (ii) You could set up a caching-only name server. By default, the queries would be performed through a random port, and any previous queries would reference the cache, rather than rely on the remote DNS. (iii) I found this on the net: You could tie your address resolution to a group. Say, for instance, you create a group called "resolve", and add yourself to it and root (for ports): # pw groupadd resolve -M root,you Then, just add something like this to IPFW rule set, replacing the example DNS addresses with your actual addresses: DNS1="1.2.3.4" DNS2="5.6.7.8" add pass udp from any 53 to { DNS1 or DNS2 } 53 out gid resolve keep-state That would have the effect of blocking anything outward-bound from port 53, except that of address queries by you and root. If you're running a caching-only NS, set-up "bind" as a member of the group, and your firewall line w/o the port 53 specification: # pw groupadd resolve -M bind add pass udp from any 53 to { $DNS1 or $DNS2 } 53 out gid resolve keep-state add pass udp from any to { $DNS1 or $DNS2 } 53 out gid resolve keep-state That will block everyone but bind from querying the remote DNS server. -- cut -- I hope this helps... Jos -- My other computer is a *BBC Model B+ *