dealing with DoS - practical tips & tools?

[Dave Cottlehuber]

yesterday I saw another mild DoS attack on our network. Typically we get UDP floods and similar generic attacks, and also websocket-specific "layer 7" attacks from random IPs.

Typically a few applications go offline when sockets are exhausted, or when their rate limiting kicks in hard.

Currently my setup is naive:

- pf with manual blocklists as required
- haproxy for layer7 blocklists
- off-server logs indexed in graylog

Which is pretty limited in both understanding what's happening *right now*, and also doing anything other than manual reaction to issues, *after* they impact users.

Before we go full cloudflare or whatever, where DDoS protection which costs an arm and a leg, what do people recommend as the next open-source steps?

I'd like a couple of features - better real-time visibility, and some some automation.

perhaps:

- last few hours of tcpdump level traffic, searchable in some form, off-server

- something partially automated that can update pf & haproxy tables when Obviously Bad Things happen

Are there any FreeBSD tools that people could recommend? Any tunables that help with resilience?

A+
Dave