From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 09:43:13 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8C5B04ED; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc1-s51.snt0.hotmail.com (snt0-omc1-s51.snt0.hotmail.com [65.54.61.88]) by mx1.freebsd.org (Postfix) with ESMTP id 6251917E; Sun, 10 Feb 2013 09:43:13 +0000 (UTC) Received: from SNT002-W138 ([65.55.90.7]) by snt0-omc1-s51.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 01:42:06 -0800 X-EIP: [Sdog/InZ/B1E1LQEtKt62KvX7BKIxTzM] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: Charles Sprickman Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 10:42:05 +0100 Importance: Normal In-Reply-To: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 09:42:06.0089 (UTC) FILETIME=[E3443F90:01CE0772] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" , "khatfield@socllc.net" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 09:43:13 -0000 Hello=2C =20 > I think you'll get some better input if you address some of what Kevin no= ted above. What firewall (if any) is in place? What rules are currently i= n place? What tuning have you done so far? Is polling enabled? 1. I use pf on the router. 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewal= l =20 So as long as my router can proccess the traffic I'll can manage all the re= st (eg. customer firewalls=2C zoning etc) on my Juniper hardware. 3. The rules at the moment just filter SSH connections to the router.=20 4. I'm looking into enabling pooling=2C but I need to test it before it goe= s to production. >=20 > When you get hit=2C you mentioned it's 200K pps=2C how much bandwidth? H= ow many different source IPs? Hard to say at the moment=2C but it was a DDoS for sure. Multiple hosts con= necting to one single port on a single machine. =20 > I know on a "real" router=2C having Netflow configured and dumping info t= o a host for analysis is very helpful - I can at least see what's being tar= getted and ask my upstreams to null route the attacked IP at their edges. = I don't know if there's a good netflow exporter available for FreeBSD that = won't hurt more than it helps. I can collect sFlow from my switch so that should do it. What software woul= d You recomend for netflow analysis? Jim =