Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 May 2007 16:56:05 +0300
From:      "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To:        Volker <volker@vwsoft.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Best way to decrease DDoS with pf.
Message-ID:  <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com>
In-Reply-To: <464D6880.2080306@vwsoft.com>
References:  <464D6880.2080306@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5/18/07, Volker <volker@vwsoft.com> wrote:
> > This isn't bandwidth issue, but filling the network buffer more than
> > anything else, so there are no more free sockets, and I can't connect
> > to the server via ssh, it's not syn as well.
> >
> > But mass connect to IRC server with small bw, and the server isn't
> > lagged at all.
> >
> > Rate: 245,919 Packets Per Second
> >
> > What is the best way to deal with such DDoS?
>
> Abdullah,
>
> I'm not quite sure if I get you right.
>
> if tcp traffic arrives without a SYN set, you can easily block that by
> using 'pass ... flags S/SA' so the traffic never reaches your daemon.
>
> Also for tcp traffic you may want to try 'synproxy state'.
>
> The last thing you can do is to use altq, feed the traffic into a low
> bandwidth queue and still be able to serve other traffic. As you can't
> control the downstream usage that way, you're at least able to limit
> the response and slow down traffic that way a bit. I'm doing this for
> SMTP traffic and it works great (I'm slowing down all SMTP traffic
> from windows boxes to my home server to a maximum of 6 kBit/s - non
> windows boxes are getting 40 kBit/s for SMTP connections, a bit too
> rude, I know but it works).
>
> Keep in mind, if you're under a DDoS attack, your bandwidth may still
> be eaten up, but the effects on your machine will be limited when
> using S/SA + synproxy state + bandwidth limiting.
>
> If I get you wrong, please explain your problem a bit more detailed.
>
> HTH
>
> Volker
>

Thank you for the tip.

Here what I'm using which fixed the issue.

pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any keep state

Comments?

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0705180656l4f601c1av45b6f9989792ccf1>