From owner-freebsd-questions@FreeBSD.ORG Thu Oct 7 15:19:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2786F16A4CE; Thu, 7 Oct 2004 15:19:29 +0000 (GMT) Received: from ganymede.hub.org (blk-222-46-91.eastlink.ca [24.222.46.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1D9F43D3F; Thu, 7 Oct 2004 15:19:28 +0000 (GMT) (envelope-from scrappy@hub.org) Received: by ganymede.hub.org (Postfix, from userid 1000) id 1DDA33D1D4; Thu, 7 Oct 2004 12:19:28 -0300 (ADT) Received: from localhost (localhost [127.0.0.1]) by ganymede.hub.org (Postfix) with ESMTP id 1976B3D173; Thu, 7 Oct 2004 12:19:28 -0300 (ADT) Date: Thu, 7 Oct 2004 12:19:28 -0300 (ADT) From: "Marc G. Fournier" To: freebsd-net@freebsd.org Message-ID: <20041007120946.K2822@ganymede.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-isp@freebsd.org cc: freebsd-questions@freebsd.org Subject: Reduce effects of DDoS attack ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 15:19:29 -0000 I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last night, a DDoS attack against a network "beside us" cause 70+% packet loss on our network, and I'm trying to figure out if there is anything I can do from my side to "compensate" for this ... I run ipaudit on all our servers, and a normal 30 minute period looks like: neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l 12107 neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l 112 neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l 12219 where 200.046.204 is our C-class ... Now, when the DDoS attack is running, those stats change to: neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l 5815 neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l 594189 neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l 600004 We're getting *alot* of traffic on our network that just is not ours ... Now, I can login to the servers, and load is negligible ... but packet loss is anywhere from 50->90%, so pretty much unusable ... Now, the shared 'switch' between our networks is a Cisco Catalyst 2900xl ... is there something that should be set on that so that I don't see that network traffic? Basically, the only network traffic that I should/want to see is that for my network .. in this case, 200.46.204? Baring that ... is there anything that I can do on the FreeBSD side of things to reduce the impact of the "extra packets"? Some way of "absorbing them"? For instance, if the packet is coming in, and it isn't for that server, then I imagine it has to 'bounce' it back out again, compounding the problem, no? Also ... since the FreeBSD servers do seem to be handling the load, is it possible that the unmanaged switch that i have in place between the FreeBSD box and the Cisco switch is 'buckling under the load'? Not able to handle the packets fast enough, and therefore just drop'ng them? The unmanage switch is a 10/100 Linksys Switch ... Thanks for any responses ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664