Best way to decrease DDoS with pf.

Abdullah Ibn Hamad Al-Marri almarrie at gmail.com
Fri May 18 06:56:06 PDT 2007 

On 5/18/07, Volker <volker at vwsoft.com> wrote:
> > This isn't bandwidth issue, but filling the network buffer more than
> > anything else, so there are no more free sockets, and I can't connect
> > to the server via ssh, it's not syn as well.
> >
> > But mass connect to IRC server with small bw, and the server isn't
> > lagged at all.
> >
> > Rate: 245,919 Packets Per Second
> >
> > What is the best way to deal with such DDoS?
>
> Abdullah,
>
> I'm not quite sure if I get you right.
>
> if tcp traffic arrives without a SYN set, you can easily block that by
> using 'pass ... flags S/SA' so the traffic never reaches your daemon.
>
> Also for tcp traffic you may want to try 'synproxy state'.
>
> The last thing you can do is to use altq, feed the traffic into a low
> bandwidth queue and still be able to serve other traffic. As you can't
> control the downstream usage that way, you're at least able to limit
> the response and slow down traffic that way a bit. I'm doing this for
> SMTP traffic and it works great (I'm slowing down all SMTP traffic
> from windows boxes to my home server to a maximum of 6 kBit/s - non
> windows boxes are getting 40 kBit/s for SMTP connections, a bit too
> rude, I know but it works).
>
> Keep in mind, if you're under a DDoS attack, your bandwidth may still
> be eaten up, but the effects on your machine will be limited when
> using S/SA + synproxy state + bandwidth limiting.
>
> If I get you wrong, please explain your problem a bit more detailed.
>
> HTH
>
> Volker
>

Thank you for the tip.

Here what I'm using which fixed the issue.

pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any keep state

Comments?

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

More information about the freebsd-pf mailing list