From owner-freebsd-questions@FreeBSD.ORG Wed May 28 16:04:09 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FC25106567F for ; Wed, 28 May 2008 16:04:09 +0000 (UTC) (envelope-from pcloches@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.188]) by mx1.freebsd.org (Postfix) with ESMTP id 0648D8FC18 for ; Wed, 28 May 2008 16:04:08 +0000 (UTC) (envelope-from pcloches@gmail.com) Received: by rn-out-0910.google.com with SMTP id j40so1826835rnf.12 for ; Wed, 28 May 2008 09:04:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=TDsXAOF6WYkSqhH4LsmE6OrYKuCWy0FAYpvBp47EaWw=; b=JhJzfsXGU02YwK807bxVYfwclmIv8POfs71P+2tA/0fcwNf8qJ8COjOKiAJQXdyHCmrTi4zrYTeEh9UHD3Mfd5+f+FoEBjyW++nIqI3/r6p1mGG9JTzBomyKw7mtpjUB+NyeaQRdfymQfpWPTwgJynaQ30K0awR5YewfbLHH83M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=G3EEqUemmwJFXbkawe8VPzWc3q3XQcwrYRw8z0vuwSOWMnOqvtku1AXC5OYvFYBvJbJjjr22ffZ1U7Qvp5tSqSAv46T+iusRLOL9j8QCwgY0b7Yh0/3caqyiFTe1LEKrn2dKdfeHESvQx7uKStVSM2RBd9pYzpEjSQkdw0CxN54= Received: by 10.114.202.15 with SMTP id z15mr2830822waf.88.1211990647132; Wed, 28 May 2008 09:04:07 -0700 (PDT) Received: by 10.114.201.3 with HTTP; Wed, 28 May 2008 09:04:07 -0700 (PDT) Message-ID: <34394a3a0805280904i6a47d500m5914e18b2a5c208e@mail.gmail.com> Date: Wed, 28 May 2008 09:04:07 -0700 From: "Patrick C" To: "Ivailo Tanusheff" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <483D188C.3050007@muliahost.com> Cc: "freebsd-questions@freebsd.org" , Kalpin Erlangga Silaen Subject: Re: Survive from DDoS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2008 16:04:09 -0000 I think the size and the fact that his ISP could not filter this indicates that the problem cannot be solved locally. You can do all the blocking on your end you want, but they can (and did) still saturate links ahead of you. Your ISP (or even their uplink, I'm guessing your ISP was also pretty affected by this attack if they couldn't filter it) needs to step up to bat in times like this. -Patrick 2008/5/28 Ivailo Tanusheff : > > Hi, > > What I wanted to say was to use pf, not ipf. You may use something like > this: > > table persist > block log quick from > > # sshspammer > # more than 6 ssh attempts in 15 seconds will be blocked ;) > pass in quick on $ext_if proto tcp to ($ext_if) port ssh keep state > (max-src-conn 10, max-src-conn-rate 6/15, overload flush > global) > > which I use for ssh flood protection or brute force attacks. You have to > change the syntax to use it for DNS. > Hope this will help you. > > Regards, > > Ivailo Tanusheff > > > > > Kalpin Erlangga Silaen > Sent by: owner-freebsd-questions@freebsd.org > 28.05.2008 11:34 > > To > Ivailo Tanusheff > cc > "freebsd-questions@freebsd.org" , > owner-freebsd-questions@freebsd.org > Subject > Re: Survive from DDoS > > > > > > > Dear Ivailo, > > thank you for your response. I am using ipfw to limit all packets for > all open port in my server. But the packet size was 600 Mbps which could > not filtered by our ISP. > > Ivailo Tanusheff wrote: > > Hi, > > > > you may use ipf to drop packets from the attacking host I suppose. Or > even > > limit the packets to the specified port. > > > > Regards, > > > > Ivailo Tanusheff > > > > > > > > > > Kalpin Erlangga Silaen > > Sent by: owner-freebsd-questions@freebsd.org > > 28.05.2008 05:01 > > > > To > > "freebsd-questions@freebsd.org" > > cc > > > > Subject > > Survive from DDoS > > > > > > > > > > > > > > Dear all, > > > > yesterday, our shell server was attack and server immeditiately reboot. > > I checked logs, it likes UDP flood with destination port 53. Is there > > any way how to survive from this kind attack? Also, is there any > > url/resources to improve our shell server? > > > > Thank you > > > > > > Kalpin Erlangga Silaen > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"