From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:49:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9089316A403 for ; Fri, 18 May 2007 08:49:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 5610A13C465 for ; Fri, 18 May 2007 08:49:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1B811128829 for ; Fri, 18 May 2007 10:49:34 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 9EC393F4E8; Fri, 18 May 2007 10:49:05 +0200 (CEST) Message-ID: <464D6880.2080306@vwsoft.com> Date: Fri, 18 May 2007 10:49:04 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:49:42 -0000 > This isn't bandwidth issue, but filling the network buffer more than > anything else, so there are no more free sockets, and I can't connect > to the server via ssh, it's not syn as well. > > But mass connect to IRC server with small bw, and the server isn't > lagged at all. > > Rate: 245,919 Packets Per Second > > What is the best way to deal with such DDoS? Abdullah, I'm not quite sure if I get you right. if tcp traffic arrives without a SYN set, you can easily block that by using 'pass ... flags S/SA' so the traffic never reaches your daemon. Also for tcp traffic you may want to try 'synproxy state'. The last thing you can do is to use altq, feed the traffic into a low bandwidth queue and still be able to serve other traffic. As you can't control the downstream usage that way, you're at least able to limit the response and slow down traffic that way a bit. I'm doing this for SMTP traffic and it works great (I'm slowing down all SMTP traffic from windows boxes to my home server to a maximum of 6 kBit/s - non windows boxes are getting 40 kBit/s for SMTP connections, a bit too rude, I know but it works). Keep in mind, if you're under a DDoS attack, your bandwidth may still be eaten up, but the effects on your machine will be limited when using S/SA + synproxy state + bandwidth limiting. If I get you wrong, please explain your problem a bit more detailed. HTH Volker