Best way to decrease DDoS with pf.
Volker
volker at vwsoft.com
Fri May 18 01:49:42 PDT 2007
> This isn't bandwidth issue, but filling the network buffer more than
> anything else, so there are no more free sockets, and I can't connect
> to the server via ssh, it's not syn as well.
>
> But mass connect to IRC server with small bw, and the server isn't
> lagged at all.
>
> Rate: 245,919 Packets Per Second
>
> What is the best way to deal with such DDoS?
Abdullah,
I'm not quite sure if I get you right.
if tcp traffic arrives without a SYN set, you can easily block that by
using 'pass ... flags S/SA' so the traffic never reaches your daemon.
Also for tcp traffic you may want to try 'synproxy state'.
The last thing you can do is to use altq, feed the traffic into a low
bandwidth queue and still be able to serve other traffic. As you can't
control the downstream usage that way, you're at least able to limit
the response and slow down traffic that way a bit. I'm doing this for
SMTP traffic and it works great (I'm slowing down all SMTP traffic
from windows boxes to my home server to a maximum of 6 kBit/s - non
windows boxes are getting 40 kBit/s for SMTP connections, a bit too
rude, I know but it works).
Keep in mind, if you're under a DDoS attack, your bandwidth may still
be eaten up, but the effects on your machine will be limited when
using S/SA + synproxy state + bandwidth limiting.
If I get you wrong, please explain your problem a bit more detailed.
HTH
Volker
More information about the freebsd-pf
mailing list