Flush ICMP and UDP flooders
Xin LI
delphij at delphij.net
Thu Jun 28 12:45:22 UTC 2007
Abdullah Ibn Hamad Al-Marri wrote:
[...]
>> I think ICMP and UDP can have their originating address forged, so this
>> will effectively construct a true remote triggerable DoS...
>
> Thank you Li,
>
> I set antispoof in my pf.conf for the nic, would these rule help or
> not? do you have suggestions about the values? I run bind on the
> servers.
No. antispoof is for other use, to put it simply, let's say that it's
something like "Don't bother to handle a packet which should not come
from the specified interface".
An example of use might be, say, you have two NICs: em0 and em1. em0 is
connected to the Internet, and em1 is connected to a private subnet
192.168.0.0/24. The two network are not inter-connected. antispoof on
em1 means that if em0 receives a packet which claims to be from
192.168.0.0/24, then drop it.
ICMP and UDP protocols are, however, not designed for you to be able to
distinguish whether source address is forged. Thus, using state table
can be a true DoS sometimes, attacker can just exhaust the table
resource and render your network non-responsive. So be careful...
Cheers,
More information about the freebsd-pf
mailing list