Info on DOS mitigation, kernel configuration for DOS mitigation
Ivan Voras
ivoras at freebsd.org
Mon Mar 15 21:12:06 UTC 2010
Bogdan Webb wrote:
> Hello everyone!
>
> First of all i would like to apologize to anyone who finds my appeal a lazy
> man's choice, actually it's indeed lazy but it's the best way to get an
> answer from a valid source. My problem is a potential DOS/DDOS... i know a
> forever talked about issue... i've already searched the freebsd's mailing
> lists and found some mitigation techniques, to bad that google ain't that
> familiar with FreeBSD, and searchin' for guides is a pain... I recall
> finding a mitigation technique that involved bandwidth shaping and other ...
> I'm using a FreeBSD 7.2-p7 with ipfw and upon testing the rules in those
> guides it alerted me that bandwidth modules weren't included in the bsd's
> kernel... Anyway could anyone provide me with a good BSD walk trough for DOS
kldload dummynet, see loader.conf(5)
> mitigation and if needed kernel modules and kernel module integration, mabe
> other firewall (but with extended howto..) ... (basically anything regarded
> to floods)
As you probably guess, a) this is a complex problem because one man's
DOS is another's regular traffic - it's complex even to detect something
like that, and b) most of the general solutions are not
platform-specific but can apply to any operating system, so you can
learn it from many sources.
First, you need to define what your outgoing network connection is (e.g.
"10 mbit/s") and then see what kinds of tradeoffs you are prepared to
make to protect yourself.
The general advice is:
- read ipfw(5), especially sections on dummynet and the "limit" rule
- study software like http://codee.pl/cband.html
More information about the freebsd-questions
mailing list