Reduce effects of DDoS attack ...
m.seaman at infracaninophile.co.uk
Thu Oct 7 08:37:39 PDT 2004
On Thu, Oct 07, 2004 at 12:19:28PM -0300, Marc G. Fournier wrote:
> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last
> night, a DDoS attack against a network "beside us" cause 70+% packet loss
> on our network, and I'm trying to figure out if there is anything I can do
> from my side to "compensate" for this ...
> I run ipaudit on all our servers, and a normal 30 minute period looks
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
> where 200.046.204 is our C-class ...
> Now, when the DDoS attack is running, those stats change to:
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
> We're getting *alot* of traffic on our network that just is not ours ...
Seems that when the CISCO box upstream gets overloaded it starts
sending packets everywhere, instead of just to the networks they're
You could put in a filtering bridge upstream of your unmanaged switch,
which would let you strip out everything not intended for your
assigned subnet. However, as your FreeBSD servers seem to be handling
the load just fine, that probably won't do you much good.
If the switch upstream of you is completely overloaded, there's not a
lot you can do, other than get your network moved over to some less
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041007/57d79640/attachment.bin
More information about the freebsd-questions