stopping an attack (fraggle like)
NetOps Admin
netops.admin at epsb.ca
Wed Sep 25 21:52:01 UTC 2013
On Wed, Sep 25, 2013 at 11:58 AM, Charles Swiger <cswiger at mac.com> wrote:
> Hi--
>
> On Sep 25, 2013, at 10:23 AM, NetOps Admin <netops.admin at epsb.ca> wrote:
> > Hi,
> > We are currently getting hit with a DoS attack that looks very
> > similar to a Fraggle attack. We are seeing a large amount of UDP traffic
> > coming at us from thousands of hosts. The source UDP port is 19
> (chargen)
> > and when it hits it consumes a 2Gb/s link.
>
> OK. You should get your ISP or whatever upstream connectivity provider to
> filter out the malicious traffic before it hits your 2Gb/s link.
>
My ISP is only able to filter out based on the attacking IP address.
They did offer to block the IP if I can identify who is attacking us. This
doesn't help in the case of a Fraggle attack where I don't see the initial
attacker and the attack is hitting me from a few thousand IP's.
>
> > Our main router is a FreeBSD server with ipfw installed. I have
> > tried blocking UDP port 19 incoming from the internet in a firewall rule
> > but the UDP packets are very large and they are followed by a number of
> > fragmented packets. I think that even though I am blocking port 19, the
> > fragmented packets are getting though and eating up the bandwidth.
>
> Right...filtering this UDP traffic on your side is already too late,
> because
> your bandwidth is already being chewed up.
>
That is the problem. I am trying to affect it from my end since my my
ISP can;t help in this situation. I guess this is really not an option. ;(
---- Kirk
More information about the freebsd-ipfw
mailing list