Date: Sun, 5 Jan 2003 13:05:09 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: freebsd-net@freebsd.org Subject: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105124644.Q80512-100000@mail.econolodgetulsa.com>
next in thread | raw e-mail | index | archive | help
Hi. I am running this as my firewall/router: 4.4-RELEASE FreeBSD 4.4-RELEASE #0 And I have no ability to change that anytime soon. Recently I have been having a lot of trouble with floods/ddos/etc. When these attacks occur, my firewall is totally unresponsive, I cannot ssh in to type a single command (and thus cannot tcpdump anything) and clients of systems on the inside either get no response, or get: ssh_exchange_identification: read: Connection reset by peer (and things like that) -------- So far, I have only done two things to my firewall. First, I upped NMBCLUSTERS to the point that I am now running at: # netstat -m 650/4768/32768 mbufs in use (current/peak/max): 650 mbufs allocated to data 559/4524/8192 mbuf clusters in use (current/peak/max) 10240 Kbytes allocated to network (41% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines So therefore I can conclude that the unresponsiveness, etc., is not due to running out of mbuf clusters. The only other thing I did was: sysctl -w net.inet.icmp.drop_redirect=1 I have no reason to suspect I am getting redirects, but it seemed like a good idea to do anyway. So that is all I have done to the firewall in terms of protection/hardening. ----------- So now I need to know what else I can do. All I know is that I am getting attacks that are _not_ saturating the physical pipe, but are cutting my network off from the rest of the world because the firewall simply refuses to do anything - its just hung. Generally, of the 15meg pipe we have, we have about 6-9 megs of traffic during an attack, so the pipe is _not_ saturated, but again, the firewall just hangs during it. I am open to any suggestions. The only thing I can fine that I might do is: ipfw add drop tcp from any to any tcpflags syn,fin which I am led to believe is functionally equivalent to the TCP_DROP_SYNFIN option and sysctl. Is this ipfw rule a general protection against syn floods ? Also what is the downside to doing this ? I read not to do it on webservers - this firewall runs _nothing_ but ssh, so presumably it is sfae, but there are a LOT of servers behind this firewall that _do_ run web servers, ircds, mail servers, etc. - will it have any effect on them ? Will it even be useful at all since the firewall is presumably not even the target, but rather the target is on the other side of the firewall ? ----------- Again, and and all suggestions appreciated - even theoretical guesses as to what kind of attack/traffic would make the firewall just hang like that and not process any traffic, even though mbuf clusters were not maxed out... I am not concnetragin on the syn-fin stuff above because I think it is the right thing, only because it is all I can come up with - so anything is appreciate. thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105124644.Q80512-100000>