dealing with DoS - practical tips & tools?
dch at skunkwerks.at
Fri Apr 3 08:52:36 UTC 2020
yesterday I saw another mild DoS attack on our network. Typically we get UDP floods and similar generic attacks, and also websocket-specific "layer 7" attacks from random IPs.
Typically a few applications go offline when sockets are exhausted, or when their rate limiting kicks in hard.
Currently my setup is naive:
- pf with manual blocklists as required
- haproxy for layer7 blocklists
- off-server logs indexed in graylog
Which is pretty limited in both understanding what's happening *right now*, and also doing anything other than manual reaction to issues, *after* they impact users.
Before we go full cloudflare or whatever, where DDoS protection which costs an arm and a leg, what do people recommend as the next open-source steps?
I'd like a couple of features - better real-time visibility, and some some automation.
- last few hours of tcpdump level traffic, searchable in some form, off-server
- something partially automated that can update pf & haproxy tables when Obviously Bad Things happen
Are there any FreeBSD tools that people could recommend? Any tunables that help with resilience?
More information about the freebsd-questions