Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Jun 2003 18:07:24 -0400
From:      "Allan Jude - ShellFusion.net Administrator" <dukemaster@shellfusion.net>
To:        "'Artyom V. Viklenko'" <artem@mipk-kspu.kharkov.ua>, <freebsd@psyxakias.com>
Cc:        freebsd-isp@freebsd.org
Subject:   RE: Shell Provider - DDoS Attacks - IPFW Ratelimiting
Message-ID:  <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4RatOouMvEOzXXL4aXw9/cKAAAAQAAAA3vNgIV2eRU6CkFFWyc+0xAEAAAAA@shellfusion.net>
In-Reply-To: <3EFDA5A2.4020707@mipk-kspu.kharkov.ua>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Using such 'limit src' firewall rules will not help you, my shell server
quickly overran the maximum number of dynamic rules, even increasing the
limit didn't make this plausable because there are 1000's of concurrent
connections at any one time. If your traffic is small enough, it might
be useful, but if you are using 10mb, or 100mb, it will easily blow your
firewall away

-----Original Message-----
From: owner-freebsd-isp@freebsd.org
[mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Artyom V. Viklenko
Sent: Saturday, June 28, 2003 10:27 AM
To: PsYxAkIaS (FreeBSD)
Cc: freebsd-isp@freebsd.org
Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting


PsYxAkIaS (FreeBSD) wrote:
> Hello all,
> 
> I currently administrate a shell provider that has several problems
with DDoS attacks. Most attacks are with infected botnets(I've seen even
5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports
and/or sometimes udp flood. Our connection is 10 mbps and we are
planning to move to 100 mbps. However I am trying to find some solutions
to limit the problem like cisco firewall or some special technical
support from the colocation isp (Internap) because sometimes attacks are
over 100 mbps like 300-350 mbps.  
> 
> -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS,
WHATEVER IT IS, I WILL APPRECIATE IT :) <---
> 
> Anyway, In order to slow down DDoS attacks we are thinking to set
ratelimit. I recompiled the kernel with DUMMYNET and I am running
something like the following:
> 
> For example, to limit 400 kbps on 212.*:
> ----------------------------------------------------------
> ipfw pipe 1 config bw 400kbit/s delay 50ms
> ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any
> ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8
> 

You can try to use 'limit src-addr n' in ipfw rules. n is a number of
concurent connections from single ip address. It is very usefull with
statefull filtering. Hope this helps in case of TCP-based attacks
such as SYN-flood.



_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4RatOouMvEOzXXL4aXw9/cKAAAAQAAAA3vNgIV2eRU6CkFFWyc+0xAEAAAAA>