Shell Provider - DDoS Attacks - IPFW Ratelimiting
Andy Dills
andy at xecu.net
Sun Jun 29 21:37:43 PDT 2003
On Sun, 29 Jun 2003, Allan Jude - ShellFusion.net Administrator wrote:
> Using such 'limit src' firewall rules will not help you, my shell server
> quickly overran the maximum number of dynamic rules, even increasing the
> limit didn't make this plausable because there are 1000's of concurrent
> connections at any one time. If your traffic is small enough, it might
> be useful, but if you are using 10mb, or 100mb, it will easily blow your
> firewall away
Well, if you limit by individual IP, sure.
Don't use a full mask; try something like 0xffff0000, so that it's
limited per /16.
Don't forget to sysctl net.inet.ip.dummynet.expire to 1, and don't be
afraid to give net.inet.ip.fw.dyn_max a nice bump.
Regardless, this isn't how you deal with a DDoS...
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
More information about the freebsd-isp
mailing list