Date: Sun, 10 Feb 2013 10:42:05 +0100 From: James Howlett <jim.howlett@outlook.com> To: Charles Sprickman <spork@bway.net> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "khatfield@socllc.net" <khatfield@socllc.net> Subject: RE: FreeBSD DDoS protection Message-ID: <SNT002-W1380F7374490A81B4439EDEE50B0@phx.gbl> In-Reply-To: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>, <850217A5-05F0-499C-A353-7C675452E6D7@bway.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > I think you'll get some better input if you address some of what Kevin noted above. What firewall (if any) is in place? What rules are currently in place? What tuning have you done so far? Is polling enabled? 1. I use pf on the router. 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewall So as long as my router can proccess the traffic I'll can manage all the rest (eg. customer firewalls, zoning etc) on my Juniper hardware. 3. The rules at the moment just filter SSH connections to the router. 4. I'm looking into enabling pooling, but I need to test it before it goes to production. > > When you get hit, you mentioned it's 200K pps, how much bandwidth? How many different source IPs? Hard to say at the moment, but it was a DDoS for sure. Multiple hosts connecting to one single port on a single machine. > I know on a "real" router, having Netflow configured and dumping info to a host for analysis is very helpful - I can at least see what's being targetted and ask my upstreams to null route the attacked IP at their edges. I don't know if there's a good netflow exporter available for FreeBSD that won't hurt more than it helps. I can collect sFlow from my switch so that should do it. What software would You recomend for netflow analysis? Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT002-W1380F7374490A81B4439EDEE50B0>