Reduce effects of DDoS attack ...

Cody Baker cody at wilkshire.net
Thu Oct 7 08:48:09 PDT 2004 

The packets your 200.046.204 machines are receiving are most likely ARP 
packets, which are Ethernet level broadcast.  They can't really be 
stopped with out dividing the physical network in to two pieces or 
VLANs.  If your router supports VLANs, you can divide your subnet to one 
portion of that catalyst switch, and the offending network to another 
portion.  This is a good policy in terms of security, but it's not going 
to fix your problem.  Unless you're extremely well connected to the 
Internet (something greater than 10MB/s), you're problem has nothing to 
do with anything on your network, rather the pipe between your network 
and the world is just congested.  The other possibility is that your 
router isn't able to keep up with the load.  I would suggest that your 
best bet is to talk to your upstream provider, see if they can't block 
the attack in anyway.

In regards to Matthew's response, the Cisco switch should be capable of 
handling all but the most intense attacks.  In terms of the Linksys, the 
only thing it's going to be seeing is the ARP packets, and while those 
network wide broadcasts are detrimental, they're not going to be the 
cause of 70% packet loss.

Thank you,

Cody Baker
cody at wilkshire.net
330.934.0659
http://www.wilkshire.net

Marc G. Fournier wrote:

>
> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... 
> last night, a DDoS attack against a network "beside us" cause 70+% 
> packet loss on our network, and I'm trying to figure out if there is 
> anything I can do from my side to "compensate" for this ...
>
> I run ipaudit on all our servers, and a normal 30 minute period looks 
> like:
>
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
>    12107
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
>      112
> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
>    12219
>
> where 200.046.204 is our C-class ...
>
> Now, when the DDoS attack is running, those stats change to:
>
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
>     5815
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
>   594189
> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
>   600004
>
> We're getting *alot* of traffic on our network that just is not ours ...
>
> Now, I can login to the servers, and load is negligible ... but packet 
> loss is anywhere from 50->90%, so pretty much unusable ...
>
> Now, the shared 'switch' between our networks is a Cisco Catalyst 
> 2900xl ... is there something that should be set on that so that I 
> don't see that network traffic?  Basically, the only network traffic 
> that I should/want to see is that for my network .. in this case, 
> 200.46.204?
>
> Baring that ... is there anything that I can do on the FreeBSD side of 
> things to reduce the impact of the "extra packets"?  Some way of 
> "absorbing them"?  For instance, if the packet is coming in, and it 
> isn't for that server, then I imagine it has to 'bounce' it back out 
> again, compounding the problem, no?
>
> Also ... since the FreeBSD servers do seem to be handling the load, is 
> it possible that the unmanaged switch that i have in place between the 
> FreeBSD box and the Cisco switch is 'buckling under the load'?  Not 
> able to handle the packets fast enough, and therefore just drop'ng them?
>
> The unmanage switch is a 10/100 Linksys Switch ...
>
> Thanks for any responses ...
>
> ----
> Marc G. Fournier           Hub.Org Networking Services 
> (http://www.hub.org)
> Email: scrappy at hub.org           Yahoo!: yscrappy              ICQ: 
> 7615664
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list