Date: Sun, 18 Jan 2009 04:12:58 -0800 (PST) From: fbsdmail@dnswatch.com To: freebsd-pf@freebsd.org Subject: Re: Blocking udp flood trafiic using pf, hints welcome Message-ID: <2b1dc259cdb3912c5dc6ba9be9929e9b.dnswclient@webmail.dnswatch.com>
next in thread | raw e-mail | index | archive | help
Greetings, On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric <omasnjak@gmail.com> wrote: > > Hi all, > > > > I am playing with pf tool on openbsd/freebsd platforms and it is super > > tool for firewalls. On thing is interesting for me, and I am hopping > > someone has expeience with this. > > > > If I say > > > > block log all > > block in log (all) quick on $ext_if proto udp from any to $ext_if > > > > this would block all traffic on $ext_if, but on my ext_if I recive a > > lot of ( huge amount ) of udp generated traffic which make me a lot > > of problems. > > I also tryed to add small pipe and play with ALTQ to handle this but > > it did not help a lot. Also I know that every packet which hit my > > ext_if should be > > processed ( or least take a little processor resources, if I block > > it with keyword quick ), but I am wondering is there some way to > > decrease impact on system > > when a lot of packets arive in short time. > > > > My question would be, what are your experinces with battling against > > boring udp flooders ? Platform are FreeBSD / OpenBSD and all works > > like a charm except time to time, stupid udp flood atacks. > > > > Not sure if this will help in your situation, but you could try > setting the 'blackhole' for UDP. (There is also one for TCP.) > > net.inet.tcp.blackhole > net.inet.udp.blackhole Those options require a bit more syntax. The options I've been using as part of my installs are: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 and while they will nearly prevent you from becoming a "drone", they won't prevent you from being attacked /by/ a "drone". I know from personal experience. :( Good advice on your part, none the less. :) Best wishes. --Chris > -- > Glen Barber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b1dc259cdb3912c5dc6ba9be9929e9b.dnswclient>