From owner-freebsd-pf@FreeBSD.ORG Tue Jul 14 23:46:19 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C95D10657CC for ; Tue, 14 Jul 2009 23:46:17 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.195]) by mx1.freebsd.org (Postfix) with ESMTP id E292C8FC0C for ; Tue, 14 Jul 2009 23:46:16 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 18820 invoked by uid 90); 15 Jul 2009 00:46:14 +0100 Received: from 78-105-9-127.zone3.bethere.co.uk (torsten@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 82) with qmail-scanner-2.05st (clamdscan: 0.95.1/9472. perlscan: 2.06st. Clear:RC:1(78.105.9.127):. Processed in 0.037722 secs); 14 Jul 2009 23:46:14 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenpc) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 15 Jul 2009 00:46:14 +0100 From: "Torsten Kersandt" To: References: <00a001ca04d6$37a122e0$a6e368a0$@com> In-Reply-To: <00a001ca04d6$37a122e0$a6e368a0$@com> Date: Wed, 15 Jul 2009 00:46:22 +0100 Message-ID: <001501ca04dd$4d6ec8f0$e84c5ad0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcoE1jWBBoAc22VmQ/m2jiz+NCtIwgABigPA Content-Language: en-gb Subject: RE: PF + ALT QUEUE for DDOS DNS attack X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 23:46:20 -0000 Hi It is a common problem and can best be prevented configuring your DNS server to limit recursion (lookup requests of non local or authoritive domains) to the internal network and trusted Internet IP addresses only. All other solutions you may just delay or limit normal dns server responses Most DNS server software does that very simple and if it is a internal machine doing this , block udp/tcp requests to port 53 from that address to your server using pf until resolved. Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Kevin Sent: 14 July 2009 23:56 To: freebsd-pf@freebsd.org Subject: PF + ALT QUEUE for DDOS DNS attack Greetings, I am currently attempting to mitigate a DDoS attack on our network that is comprised mainly of bogus DNS requests. The attacks seem to be coming in waves of DNS queries on our internal systems. I have tried several different ways of mitigating this, one of which is to queue the DNS traffic via PF + ALTQ. I have attempted to limit the DNS traffic to the particular host that is being attacked. However, this doesn't seem to be very effective, as the nature of a DDoS attack means that the queries being made are fairly simple and straightforward. I was hoping to get some tips / tricks from people who have encountered similar scenarios. My firewall is (obviously) PF. FreeBSD specific information : FreeBSD fw 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #4: Tue Dec 16 13:00:03 EST 2008 fw@fw:/usr/obj/usr/src/sys/FW i386 I'm looking for tips / tricks as far as what I can do on the firewall level, of course. Any help is greatly appreciated! :) ~kevin _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"