From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 25 18:44:26 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 30057213 for ; Wed, 25 Sep 2013 18:44:26 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F02AE2AA9 for ; Wed, 25 Sep 2013 18:44:25 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id wm4so148050obc.30 for ; Wed, 25 Sep 2013 11:44:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=lyfB99ZTgs3c4aCSJ4jutnAGTY+TAfKf3L4k474rXjc=; b=akuqzqn8n4qRNVEBXwJ06svbiDUZTmfUciadWQk+1x6XERlZ34sAzsSqJNqOuOmEDk 0vRZFamuJsGox6eeUEhAizKKDXRGiHd+gDCEdO3onULls3PgpCzNzZpAgBgUynMOnniw m0r6tV/K9jfT8umlCFS5FTsmn8uWlyUEKpjesgxe5PxOSbUy0PzD7qygbZOVaKJi3Uvv OoVC/Du2SCDjD5T6KR60VnPHNOHmEDyD3tiOKEVg0q6IkiTgt33Q+TDsVek7U1ps2j0b jvrsxuARSR1SZvHDsiHvLrPUEA+EDAs++GUsCPEaZUccGwGszN+3hP+xjNOqNuGv540V rpBg== X-Gm-Message-State: ALoCoQn+yXMDc2eGgDSYpSwnF+XI0m5nSpiWUsEDCusqO3x4DuesHItw1upk4G6eyZdSqGn0VOBu MIME-Version: 1.0 X-Received: by 10.60.142.8 with SMTP id rs8mr14510119oeb.34.1380134659229; Wed, 25 Sep 2013 11:44:19 -0700 (PDT) Received: by 10.60.21.69 with HTTP; Wed, 25 Sep 2013 11:44:19 -0700 (PDT) In-Reply-To: References: Date: Wed, 25 Sep 2013 11:44:19 -0700 Message-ID: Subject: Re: stopping an attack (fraggle like) From: Michael Sierchio To: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Sep 2013 18:44:26 -0000 I would certainly not use stateful rules. If you can't influence the upstream pipes at all, then your best bet is to used GRED, which is implemented in dummynet. There is a good bit of literature about this, but the tuning of the drop will be empirically determined. Fragmented packets won't contain port numbers anyway, but you could do this ipfw add allow ip from any to any via lo0 ipfw add reass all from any to any in recv $IF_WAN ... don't pass link-local packets through dummynet. - M On Wed, Sep 25, 2013 at 10:23 AM, NetOps Admin wrote: > Hi, > We are currently getting hit with a DoS attack that looks very > similar to a Fraggle attack. We are seeing a large amount of UDP traffic > coming at us from thousands of hosts. The source UDP port is 19 (chargen) > and when it hits it consumes a 2Gb/s link. > > Our main router is a FreeBSD server with ipfw installed. I have > tried blocking UDP port 19 incoming from the internet in a firewall rule > but the UDP packets are very large and they are followed by a number of > fragmented packets. I think that even though I am blocking port 19, the > fragmented packets are getting though and eating up the bandwidth. > > I am a little hesitant of using a UDP deny rule with "keep-state" to > try and block the following fragmented packets. I don't want to cause > memory issues. > > Can I use keep-state with a deny rules? Will it have issues if I use > keep-state to track thousands of hosts in a saturated 2 Gb/s link? > > Any ideas on how others are controlling this? > > Thanks > > ----- Kirk > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"