Date: Sun, 10 Feb 2013 10:42:05 +0100 From: James Howlett <jim.howlett@outlook.com> To: Charles Sprickman <spork@bway.net> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "khatfield@socllc.net" <khatfield@socllc.net> Subject: RE: FreeBSD DDoS protection Message-ID: <SNT002-W1380F7374490A81B4439EDEE50B0@phx.gbl> In-Reply-To: <850217A5-05F0-499C-A353-7C675452E6D7@bway.net> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>, <850217A5-05F0-499C-A353-7C675452E6D7@bway.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello=2C =20 > I think you'll get some better input if you address some of what Kevin no= ted above. What firewall (if any) is in place? What rules are currently i= n place? What tuning have you done so far? Is polling enabled? 1. I use pf on the router. 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewal= l =20 So as long as my router can proccess the traffic I'll can manage all the re= st (eg. customer firewalls=2C zoning etc) on my Juniper hardware. 3. The rules at the moment just filter SSH connections to the router.=20 4. I'm looking into enabling pooling=2C but I need to test it before it goe= s to production. >=20 > When you get hit=2C you mentioned it's 200K pps=2C how much bandwidth? H= ow many different source IPs? Hard to say at the moment=2C but it was a DDoS for sure. Multiple hosts con= necting to one single port on a single machine. =20 > I know on a "real" router=2C having Netflow configured and dumping info t= o a host for analysis is very helpful - I can at least see what's being tar= getted and ask my upstreams to null route the attacked IP at their edges. = I don't know if there's a good netflow exporter available for FreeBSD that = won't hurt more than it helps. I can collect sFlow from my switch so that should do it. What software woul= d You recomend for netflow analysis? Jim =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT002-W1380F7374490A81B4439EDEE50B0>