stopping an attack (fraggle like)
NetOps Admin
netops.admin at epsb.ca
Wed Sep 25 17:36:15 UTC 2013
Hi,
We are currently getting hit with a DoS attack that looks very
similar to a Fraggle attack. We are seeing a large amount of UDP traffic
coming at us from thousands of hosts. The source UDP port is 19 (chargen)
and when it hits it consumes a 2Gb/s link.
Our main router is a FreeBSD server with ipfw installed. I have
tried blocking UDP port 19 incoming from the internet in a firewall rule
but the UDP packets are very large and they are followed by a number of
fragmented packets. I think that even though I am blocking port 19, the
fragmented packets are getting though and eating up the bandwidth.
I am a little hesitant of using a UDP deny rule with "keep-state" to
try and block the following fragmented packets. I don't want to cause
memory issues.
Can I use keep-state with a deny rules? Will it have issues if I use
keep-state to track thousands of hosts in a saturated 2 Gb/s link?
Any ideas on how others are controlling this?
Thanks
----- Kirk
More information about the freebsd-ipfw
mailing list