Reduce effects of DDoS attack ...
Bigelow, Andrea L.
BigelowA at SEC.GOV
Thu Oct 7 08:30:30 PDT 2004
Marc, usually the best answer to this is to have your net-facing device be a
router (not a switch!) with enough juice to run a comprehensive ACL that
keeps out martians, spoofed packets, and other stuff that doesn't belong on
your network.
Your second line of defense should be a good firewall, sitting behind the
router. If your server cluster is supposed to be on the DMZ, then set up the
switch behind the router with the boxes and the firewall on that switch. I
realize that this is a VERY simplistic design description, and it could be
tightened up, locked down, and fancified quite a lot, but it's the very
basics.
-----Original Message-----
From: Marc G. Fournier [mailto:scrappy at hub.org]
Sent: Thursday, October 07, 2004 11:19 AM
To: freebsd-net at freebsd.org
Cc: freebsd-isp at freebsd.org; freebsd-questions at freebsd.org
Subject: Reduce effects of DDoS attack ...
I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last
night, a DDoS attack against a network "beside us" cause 70+% packet loss on
our network, and I'm trying to figure out if there is anything I can do from
my side to "compensate" for this ...
I run ipaudit on all our servers, and a normal 30 minute period looks
like:
neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
12107
neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
112
neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
12219
where 200.046.204 is our C-class ...
Now, when the DDoS attack is running, those stats change to:
neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
5815
neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
594189
neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
600004
We're getting *alot* of traffic on our network that just is not ours ...
Now, I can login to the servers, and load is negligible ... but packet loss
is anywhere from 50->90%, so pretty much unusable ...
Now, the shared 'switch' between our networks is a Cisco Catalyst 2900xl ...
is there something that should be set on that so that I don't see that
network traffic? Basically, the only network traffic that I should/want to
see is that for my network .. in this case, 200.46.204?
Baring that ... is there anything that I can do on the FreeBSD side of
things to reduce the impact of the "extra packets"? Some way of "absorbing
them"? For instance, if the packet is coming in, and it isn't for that
server, then I imagine it has to 'bounce' it back out again, compounding the
problem, no?
Also ... since the FreeBSD servers do seem to be handling the load, is it
possible that the unmanaged switch that i have in place between the FreeBSD
box and the Cisco switch is 'buckling under the load'? Not able to handle
the packets fast enough, and therefore just drop'ng them?
The unmanage switch is a 10/100 Linksys Switch ...
Thanks for any responses ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy at hub.org Yahoo!: yscrappy ICQ: 7615664
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list