Date: Thu, 28 Jun 2007 20:45:04 +0800 From: Xin LI <delphij@delphij.net> To: Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> Cc: FreeBSD PF Pro List <freebsd-pf@freebsd.org> Subject: Re: Flush ICMP and UDP flooders Message-ID: <4683AD50.4020707@delphij.net> In-Reply-To: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net> <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Abdullah Ibn Hamad Al-Marri wrote: [...] >> I think ICMP and UDP can have their originating address forged, so this >> will effectively construct a true remote triggerable DoS... > > Thank you Li, > > I set antispoof in my pf.conf for the nic, would these rule help or > not? do you have suggestions about the values? I run bind on the > servers. No. antispoof is for other use, to put it simply, let's say that it's something like "Don't bother to handle a packet which should not come from the specified interface". An example of use might be, say, you have two NICs: em0 and em1. em0 is connected to the Internet, and em1 is connected to a private subnet 192.168.0.0/24. The two network are not inter-connected. antispoof on em1 means that if em0 receives a packet which claims to be from 192.168.0.0/24, then drop it. ICMP and UDP protocols are, however, not designed for you to be able to distinguish whether source address is forged. Thus, using state table can be a true DoS sometimes, attacker can just exhaust the table resource and render your network non-responsive. So be careful... Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4683AD50.4020707>