Date: Sun, 29 Jun 2003 18:07:24 -0400 From: "Allan Jude - ShellFusion.net Administrator" <dukemaster@shellfusion.net> To: "'Artyom V. Viklenko'" <artem@mipk-kspu.kharkov.ua>, <freebsd@psyxakias.com> Cc: freebsd-isp@freebsd.org Subject: RE: Shell Provider - DDoS Attacks - IPFW Ratelimiting Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4RatOouMvEOzXXL4aXw9/cKAAAAQAAAA3vNgIV2eRU6CkFFWyc%2B0xAEAAAAA@shellfusion.net> In-Reply-To: <3EFDA5A2.4020707@mipk-kspu.kharkov.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Using such 'limit src' firewall rules will not help you, my shell server quickly overran the maximum number of dynamic rules, even increasing the limit didn't make this plausable because there are 1000's of concurrent connections at any one time. If your traffic is small enough, it might be useful, but if you are using 10mb, or 100mb, it will easily blow your firewall away -----Original Message----- From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Artyom V. Viklenko Sent: Saturday, June 28, 2003 10:27 AM To: PsYxAkIaS (FreeBSD) Cc: freebsd-isp@freebsd.org Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting PsYxAkIaS (FreeBSD) wrote: > Hello all, > > I currently administrate a shell provider that has several problems with DDoS attacks. Most attacks are with infected botnets(I've seen even 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports and/or sometimes udp flood. Our connection is 10 mbps and we are planning to move to 100 mbps. However I am trying to find some solutions to limit the problem like cisco firewall or some special technical support from the colocation isp (Internap) because sometimes attacks are over 100 mbps like 300-350 mbps. > > -->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <--- > > Anyway, In order to slow down DDoS attacks we are thinking to set ratelimit. I recompiled the kernel with DUMMYNET and I am running something like the following: > > For example, to limit 400 kbps on 212.*: > ---------------------------------------------------------- > ipfw pipe 1 config bw 400kbit/s delay 50ms > ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any > ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8 > You can try to use 'limit src-addr n' in ipfw rules. n is a number of concurent connections from single ip address. It is very usefull with statefull filtering. Hope this helps in case of TCP-based attacks such as SYN-flood. _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4RatOouMvEOzXXL4aXw9/cKAAAAQAAAA3vNgIV2eRU6CkFFWyc%2B0xAEAAAAA>