Reduce effects of DDoS attack ...

Bigelow, Andrea L. BigelowA at SEC.GOV
Thu Oct 7 08:30:30 PDT 2004

Marc, usually the best answer to this is to have your net-facing device be a
router (not a switch!) with enough juice to run a comprehensive ACL that
keeps out martians, spoofed packets, and other stuff that doesn't belong on
your network. 

Your second line of defense should be a good firewall, sitting behind the
router. If your server cluster is supposed to be on the DMZ, then set up the
switch behind the router with the boxes and the firewall on that switch. I
realize that this is a VERY simplistic design description, and it could be
tightened up, locked down, and fancified quite a lot, but it's the very

-----Original Message-----
From: Marc G. Fournier [mailto:scrappy at] 
Sent: Thursday, October 07, 2004 11:19 AM
To: freebsd-net at
Cc: freebsd-isp at; freebsd-questions at
Subject: Reduce effects of DDoS attack ...

I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last
night, a DDoS attack against a network "beside us" cause 70+% packet loss on
our network, and I'm trying to figure out if there is anything I can do from
my side to "compensate" for this ...

I run ipaudit on all our servers, and a normal 30 minute period looks

neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l

where 200.046.204 is our C-class ...

Now, when the DDoS attack is running, those stats change to:

neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l

We're getting *alot* of traffic on our network that just is not ours ...

Now, I can login to the servers, and load is negligible ... but packet loss
is anywhere from 50->90%, so pretty much unusable ...

Now, the shared 'switch' between our networks is a Cisco Catalyst 2900xl ...
is there something that should be set on that so that I don't see that
network traffic?  Basically, the only network traffic that I should/want to
see is that for my network .. in this case, 200.46.204?

Baring that ... is there anything that I can do on the FreeBSD side of
things to reduce the impact of the "extra packets"?  Some way of "absorbing
them"?  For instance, if the packet is coming in, and it isn't for that
server, then I imagine it has to 'bounce' it back out again, compounding the
problem, no?

Also ... since the FreeBSD servers do seem to be handling the load, is it
possible that the unmanaged switch that i have in place between the FreeBSD
box and the Cisco switch is 'buckling under the load'?  Not able to handle
the packets fast enough, and therefore just drop'ng them?

The unmanage switch is a 10/100 Linksys Switch ...

Thanks for any responses ...

Marc G. Fournier           Hub.Org Networking Services (
Email: scrappy at           Yahoo!: yscrappy              ICQ: 7615664
freebsd-questions at mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list