FreeBSD DDoS protection

Charles Sprickman spork at bway.net
Sun Feb 10 09:16:24 UTC 2013 

On Feb 10, 2013, at 4:06 AM, James Howlett wrote:

> Hello,
> 
> Kevin, thank You for the information.
> 
>> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am unsure of your connection I cannot recommend specifics. However, it is best to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw and do some straight forward deny/allow + source spoof settings.
>> 
>> Above all, don't go overboard with firewall configuration. People often try to do far too much tracking/packet rate limiting, etc. It just burns up free resources.
>> 
> 
> Let me tell You a bit about my setup. All my connections to ISP's are 1Gigabit each.
> They are terminated on a my switch, and the router is connected to that switch.

I think you'll get some better input if you address some of what Kevin noted above.  What firewall (if any) is in place?  What rules are currently in place? What tuning have you done so far?  Is polling enabled?

When you get hit, you mentioned it's 200K pps, how much bandwidth?  How many different source IPs?

I know on a "real" router, having Netflow configured and dumping info to a host for analysis is very helpful - I can at least see what's being targetted and ask my upstreams to null route the attacked IP at their edges.  I don't know if there's a good netflow exporter available for FreeBSD that won't hurt more than it helps.

Charles

> 
>> Deny all ICMP (drop I mean) and UDP except where specifically required.
> 
> Is droping ICMP really helpful? I can limit ICMP only to my monitoring host - that is no problem.
> 
>> And just do general hardening... Get yourself a static IP or VPN. Deny all console/ssh access except to that IP. Same here, a simple host deny will satisfy this need.
>> 
> 
> This is already done. I also have out of band management to my router over a different network connection. If all my ISP's fail I can still connect to that router.
> 
>> The less you do with the firewall (routing/blocking/inspecting) the better.
>> 
>> Drop drop drop ;)
>> 
>> In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps connection with legit traffic and block most high PPS floods as long as they don't saturate the link.
>> 
> 
> I have the following ethernet cards in my router:
>  device     = '82579LM Gigabit Network Connection'
>    device     = '82571EB Gigabit Ethernet Controller'
>    device     = '82571EB Gigabit Ethernet Controller'
>    device     = '82574L Gigabit Network Connection'
> 
> but at this moment I use only the 82571EB model.
> 
>> I have ran similar configurations in 10Gbps scenarios and there are certainly limitations even in 1Gbps cases... Though, you can't plan for everything - the best you can do is be prepared for the majority of general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc.
>> 
> 
> At this moment an attack on 80 port kills my network connection with the number of PPS. 200000 is reached in a second and the router can't proccess any new connections.
> 
>> I'm actually at dinner so I apologize for the lack of further detail. I'm not even certain this makes sense but hopefully it helps.
>> 
> 
> There is nothing to apologize for - You are most helpful.
> 
>> I have my configs which I can send by tomorrow if needed. (For examples)
>> 
> 
> That would be great.
> 
> All best,
> Jim
> 
> 		 	   		  
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list