Blocking udp flood trafiic using pf, hints welcome
fbsdmail at dnswatch.com
fbsdmail at dnswatch.com
Sun Jan 18 04:12:59 PST 2009
Greetings,
On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric <omasnjak at gmail.com> wrote:
> > Hi all,
> >
> > I am playing with pf tool on openbsd/freebsd platforms and it is super
> > tool for firewalls. On thing is interesting for me, and I am hopping
> > someone has expeience with this.
> >
> > If I say
> >
> > block log all
> > block in log (all) quick on $ext_if proto udp from any to $ext_if
> >
> > this would block all traffic on $ext_if, but on my ext_if I recive a
> > lot of ( huge amount ) of udp generated traffic which make me a lot
> > of problems.
> > I also tryed to add small pipe and play with ALTQ to handle this but
> > it did not help a lot. Also I know that every packet which hit my
> > ext_if should be
> > processed ( or least take a little processor resources, if I block
> > it with keyword quick ), but I am wondering is there some way to
> > decrease impact on system
> > when a lot of packets arive in short time.
> >
> > My question would be, what are your experinces with battling against
> > boring udp flooders ? Platform are FreeBSD / OpenBSD and all works
> > like a charm except time to time, stupid udp flood atacks.
> >
>
> Not sure if this will help in your situation, but you could try
> setting the 'blackhole' for UDP. (There is also one for TCP.)
>
> net.inet.tcp.blackhole
> net.inet.udp.blackhole
Those options require a bit more syntax. The options I've been using
as part of my installs are:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
and while they will nearly prevent you from becoming a "drone", they
won't prevent you from being attacked /by/ a "drone". I know from
personal experience. :(
Good advice on your part, none the less. :)
Best wishes.
--Chris
> --
> Glen Barber
More information about the freebsd-pf
mailing list