Info on DOS mitigation, kernel configuration for DOS mitigation

[Ivan Voras]

Bogdan Webb wrote:
> Hello everyone!
> 
> First of all i would like to apologize to anyone who finds my appeal a lazy
> man's choice, actually it's indeed lazy but it's the best way to get an
> answer from a valid source. My problem is a potential DOS/DDOS... i know a
> forever talked about issue... i've already searched the freebsd's mailing
> lists and found some mitigation techniques, to bad that google ain't that
> familiar with FreeBSD, and searchin' for guides is a pain... I recall
> finding a mitigation technique that involved bandwidth shaping and other ...
> I'm using a FreeBSD 7.2-p7 with ipfw and upon testing the rules in those
> guides it alerted me that bandwidth modules weren't included in the bsd's
> kernel... Anyway could anyone provide me with a good BSD walk trough for DOS

kldload dummynet, see loader.conf(5)

> mitigation and if needed kernel modules and kernel module integration, mabe
> other firewall (but with extended howto..) ... (basically anything regarded
> to floods)

As you probably guess, a) this is a complex problem because one man's 
DOS is another's regular traffic - it's complex even to detect something 
like that, and b) most of the general solutions are not 
platform-specific but can apply to any operating system, so you can 
learn it from many sources.

First, you need to define what your outgoing network connection is (e.g. 
"10 mbit/s") and then see what kinds of tradeoffs you are prepared to 
make to protect yourself.

The general advice is:
	- read ipfw(5), especially sections on dummynet and the "limit" rule
	- study software like http://codee.pl/cband.html