Blocking udp flood trafiic using pf, hints welcome
Elvir Kuric
omasnjak at gmail.com
Sun Nov 9 05:44:54 PST 2008
Hello Jeremy,
Thank you for your time and your answer,
> First, you should be very careful with use of the "log" directive on
> your rules. I've personally witnessed an attack which triggered "log"
> entries in block rules causing pflog to log at such a tremendous/fast
> rate, that newsyslog could not rotate+compress the log files fast
> enough, resulting in CPU maxing out and so on (a true self-induced
> denial-of-service). Consider this warning. :-)
I absolutely agree with you regarding logging, and I do not practice
this, only logging specific data. The biggest problem with this DoS
attacks ( udp floods ) is, processor
must spend some time on packet arrive ( even dropping will take some
processor power ).
>
> Secondly, and this is more a direct answer of your question: I believe
> what you're referring to is a UDP-based DoS attack against your FreeBSD
> machine(s).
Actually it is OpenBSD, but it is not important for this case.
>
> The "block" directives you're using will only stop your FreeBSD box from
> responding to those packets (whatever you do, silently deny those
> packets; do not use "reject", or else your box will be trying to send
> back denial responses to the attackers, which just makes the problem
> worse). It *cannot* solve the problem of your network connection
> becoming saturated.
Block works fantastic, connection goes down due to milions of packets arrived.
>
> Your next question will be: "okay, so how do I solve this problem?" This
> is where it gets both technical and political. There are two things to
> do first:
>
> 1) See if the attacks are distributed (multiple IPs or even spoofed IPs
> hitting your machine with UDP packets). If they're distributed or
> spoofed, you're out of luck.
>
> If the packets are legitimate (e.g. some compromised machine on the
> Internet is being used to attack you), you need to find out who own that
> IP address, and contact them. ARIN (WHOIS) can be of help here. Pray
> they have an abuse department. If you do not get a prompt response
> (24-48 hours), try to figure out who their upstream network provider is,
> and send them a similar message. Continue up the chain until you get a
> response. Phone calls (even international) often work wonders
> decreasing mitigation time.
>
> 2) Investigate your own machine. I cannot stress this enough. Most DoS
> attacks I've seen in my years ARE NOT random -- there's a reason they
> happen.
>
> The majority of attacks I've seen involve IRC in some way, either as a
> central cause of attack (arguments, channel takeovers, whatever), or
> indirectly (a compromised account on your machine). If your machine is
> a shell box for friends/customers, I highly recommend considering *not*
> permitting IRC from it; this includes bouncers and eggdrops.
>
> Many IRC-induced attacks are done against a machine solely to knock it
> offline (so the user on IRC pings out for a channel takeover, or just to
> keep the user from getting back on IRC).
>
> And if your machine(s) run IRC servers... well, this is one of the many
> dangers in hosting a server. You have to weigh what's more important to
> you in this case: IRC, or the availability of your machines. I speak
> from personal experience as someone who used to administrate a public
> EFnet server, and as someone who has used IRC for the past 16 years.
> Whichever matters to you more is what you should stick with.
>
> The second most common reason for attack I've seen are controversial
> websites or domain names -- things that induce arguments, controversy or
> heated discussions, or are of a "shady" nature and would bring shady
> or questionable attention to you (e.g. wehaveeggdropshellz.com). If
> you host anything like this, consider suspending it, or removing the
> customer due to incidents which cause the network to become unavailable.
> Remember: one customer/user is not worth sacrificing all the rest.
>
> Finally: work with your own service/uplink provider. In the case of a
> very large-scale attack, your ISP will need to do the filtering to
> ensure that the packets never reach your machine. "What can they filter
> on if it's DDoS?" Good question -- very little. But your uplink should
> at least be told of the problem, both out of respect, and for your own
> benefit (especially if you are billed for *incoming* traffic!)
>
> If you don't find decent answers here, I highly recommend freebsd-net
> or freebsd-isp. Others may have better advice.
No IRC is present here, or similar staff it is just firewal/router
runing at the edge of internal network.
Also on machines in internal network there is not some, "interesting " stuff.
Thank you very much for your answer it is very helpful.
>
> Footnote: Like SMTP and spam, IRC as an entity is not evil or bad -- the
> problem is that in this day and age, it can breed trouble. I don't want
> to sound like I'm slamming IRC ("IRC sucks! Ban IRC!"); I'm not. I'm
> simply pointing out the realities that are involved with IRC in this day
> and age. The degree of anonymity DoS and IRC provide sometimes brings
> out the worst in people, and that's sad.
>
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
>
Kind regards,
Elvir Kuric
More information about the freebsd-pf
mailing list