Date: Mon, 22 Sep 2008 06:54:56 +0200 From: "Redd Vinylene" <reddvinylene@gmail.com> To: questions@freebsd.org, misc@openbsd.org Cc: larsnooden@ekiga.net, bsdly@bsdly.net Subject: Re: pf to block against DDoS? Message-ID: <f1019d520809212154p328253c6kbfdd643e5bb5c146@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> > > > From: Redd Vinylene <reddvinylene@...> > > > > To: <questions@...>, <misc@...> > > > > Subject: pf to block against DDoS? > > > > Date: Thursday, September 4, 2008 - 3:23 pm > > > > > > > > Hello hello! > > > > > > > > I was quite shocked today when I heard I could use pf to block against DDoS > > > > attacks, using Stateful Tracking Options, > > > > http://www.openbsd.org/faq/pf/filter.html#stateopts. > > > > > > > > But does anybody have any nice setups of this they'd want to share? > > > > > > > > > > From: Oliver Peter <lists@...> > > > To: Redd Vinylene <reddvinylene@...> > > > Cc: <questions@...>, <misc@...> > > > Subject: Re: pf to block against DDoS? > > > Date: Thursday, September 4, 2008 - 4:20 pm > > > > > > ... nice cross-post. > > > > > > I can recommend reading through this as well: > > > http://www.bgnett.no/~peter/pf/en/bruteforce.html > > > > > > -- > > > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > > > "If it feels good, you're doing something wrong." > > > -- Coach McTavish > > > > > > > From: Peter N. M. Hansteen <peter@...> > > To: Oliver Peter <lists@...> > > Cc: Redd Vinylene <reddvinylene@...>, <questions@...>, <misc@...> > > Subject: Re: pf to block against DDoS? > > Date: Friday, September 5, 2008 - 1:54 am > > > > Thanks for recommending that! However I would generally recommend the > > maintained version which is up at <http://home.nuug.no/~peter/pf/> ;, > > with the direct link to the part about state tracking and bruteforcers > > at <http://home.nuug.no/~peter/pf/en/bruteforce.html>. > > > > (and of course there's the book, nudge, nudge) > > > > - P > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > > From: Lars Nood=E9n <larsnooden@...> > To: Oliver Peter <lists@...> > Cc: Redd Vinylene <reddvinylene@...>, <misc@...> > Subject: Re: pf to block against DDoS? > Date: Thursday, September 4, 2008 - 4:50 pm > > You can also use two tables so that the first overload gets shunted to a > slow queue and given a second chance before ending up in the second > table which gets blocked. > > -Lars Much obliged to all y'all gentlemen for your valuable design insight. Now, is there anything more I can do to secure my webserver from attacks? O= r perhaps my pf.conf can be simplified / beautified? Peter N. M. Hansteen: Did I follow your tutorial correctly? Lars Nood=E9n: Would you happen to have an example of that? My pf.conf now looks like this: - ext_if =3D "rl0" int_if =3D "ep0" set block-policy return set skip on { lo0 } scrub in table <bruteforce> persist nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 30000 -> 192.168.187.2 port 30000 pass out keep state pass quick on $int_if block in block quick from <bruteforce> pass in on $ext_if inet proto tcp from any to any port { 20, 21, 25, 53, 113, 30000:35000 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) pass in on $ext_if inet proto tcp from any to any port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global= ) pass in on $ext_if inet proto udp from any to any port 53 keep state pass in on $ext_if inet proto icmp from any to any keep state - Have a great week! Cheers! --=20 http://www.home.no/reddvinylene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f1019d520809212154p328253c6kbfdd643e5bb5c146>