Blocking udp flood trafiic using pf, hints welcome

Sun Nov 9 12:35:46 PST 2008

Elvir Kuric <omasnjak at gmail.com> wrote:
>
> I absolutely agree with you regarding logging, and I do not practice
> this, only logging specific data.  The biggest problem with this DoS
> attacks ( udp floods ) is, processor must spend some time on packet
> arrive ( even dropping will take some processor power ).

You may want to consider adding "keep state" to your "block log" rules. 
If you keep state on the blocked packets, only the first packet that is
blocked will get logged; the others will be blocked statefully without
consulting the rulebase, which may save some processing time.

Note that "keep state" is only implicit on "pass" rules, you must add it
on "block" rules.

> No IRC is present here, or similar staff it is just firewal/router
> runing at the edge of internal network.
> 
> Also on machines in internal network there is not some, "interesting "
> stuff.

I suppose what you mean is "No IRC is present here" that you know of.  A
nefarious hacker can actually install these tools in ways that you are
not aware of, and this is often the cause of any DOS attacks you
receive.  I agree with the above, DOS attacks do not typically happen
without reason.  There is probably a reason that your system is coming
under attack, and you need to do some real forensic examination to make
sure that your systems (all of them, the ones that forward traffic
through this BSD gateway of yours) are clean and not doing anything they
shouldn't be.

It's easy to say that you did not set up anything bad on your systems,
but can you really say with certainty that no one has broken into your
systems and installed something you don't know about?

-- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow

This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.