pf to block against DDoS?

Redd Vinylene reddvinylene at gmail.com
Mon Sep 22 05:05:53 UTC 2008


> > > > From: Redd Vinylene <reddvinylene at ...>
> > > > To: <questions at ...>, <misc at ...>
> > > > Subject: pf to block against DDoS?
> > > > Date: Thursday, September 4, 2008 - 3:23 pm
> > > >
> > > > Hello hello!
> > > >
> > > > I was quite shocked today when I heard I could use pf to block
against DDoS
> > > > attacks, using Stateful Tracking Options,
> > > > http://www.openbsd.org/faq/pf/filter.html#stateopts.
> > > >
> > > > But does anybody have any nice setups of this they'd want to share?
> > > >
> > >
> > > From: Oliver Peter <lists at ...>
> > > To: Redd Vinylene <reddvinylene at ...>
> > > Cc: <questions at ...>, <misc at ...>
> > > Subject: Re: pf to block against DDoS?
> > > Date: Thursday, September 4, 2008 - 4:20 pm
> > >
> > > ... nice cross-post.
> > >
> > > I can recommend reading through this as well:
> > >   http://www.bgnett.no/~peter/pf/en/bruteforce.html
> > >
> > > --
> > > Oliver PETER, email: oliver at peter.de.com, ICQ# 113969174
> > > "If it feels good, you're doing something wrong."
> > >                                       -- Coach McTavish
> > >
> >
> > From: Peter N. M. Hansteen <peter at ...>
> > To: Oliver Peter <lists at ...>
> > Cc: Redd Vinylene <reddvinylene at ...>, <questions at ...>, <misc at ...>
> > Subject: Re: pf to block against DDoS?
> > Date: Friday, September 5, 2008 - 1:54 am
> >
> > Thanks for recommending that!  However I would generally recommend the
> > maintained version which is up at &lt;http://home.nuug.no/~peter/pf/&gt
;,
> > with the direct link to the part about state tracking and bruteforcers
> > at &lt;http://home.nuug.no/~peter/pf/en/bruteforce.html&gt;.
> >
> > (and of course there's the book, nudge, nudge)
> >
> > - P
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> >
> From: Lars Noodén <larsnooden at ...>
> To: Oliver Peter <lists at ...>
> Cc: Redd Vinylene <reddvinylene at ...>, <misc at ...>
> Subject: Re: pf to block against DDoS?
> Date: Thursday, September 4, 2008 - 4:50 pm
>
> You can also use two tables so that the first overload gets shunted to a
> slow queue and given a second chance before ending up in the second
> table which gets blocked.
>
> -Lars

Sorry, _this_ is my webserver's pf.conf (the other one was my home
firewall's):

-

mad = "80.202.2.3"

doom = "{ 80.202.2.4 - 80.202.2.127 }"

ext_if = "rl0"

set block-policy return

set skip on { lo0 }

scrub in

table <bruteforce> persist

pass out keep state

block in

block quick from <bruteforce>

pass in on $ext_if inet proto tcp from any to any port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

pass in on $ext_if inet proto tcp from any to $mad port { 25, 53, 80, 110 }
keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
flush global)

pass in on $ext_if inet proto udp from any to $mad port 53 keep state

pass in on $ext_if inet proto tcp from any to $doom port { 20, 21, 113,
6000:9999 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload
<bruteforce> flush global)

pass in on $ext_if inet proto icmp from any to any keep state

-

I hope the design adheres to: http://en.wikipedia.org/wiki/KISS_principle

-- 
http://www.home.no/reddvinylene


More information about the freebsd-questions mailing list