Date: Fri, 18 May 2007 16:56:05 +0300 From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> To: Volker <volker@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. Message-ID: <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> In-Reply-To: <464D6880.2080306@vwsoft.com> References: <464D6880.2080306@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/18/07, Volker <volker@vwsoft.com> wrote: > > This isn't bandwidth issue, but filling the network buffer more than > > anything else, so there are no more free sockets, and I can't connect > > to the server via ssh, it's not syn as well. > > > > But mass connect to IRC server with small bw, and the server isn't > > lagged at all. > > > > Rate: 245,919 Packets Per Second > > > > What is the best way to deal with such DDoS? > > Abdullah, > > I'm not quite sure if I get you right. > > if tcp traffic arrives without a SYN set, you can easily block that by > using 'pass ... flags S/SA' so the traffic never reaches your daemon. > > Also for tcp traffic you may want to try 'synproxy state'. > > The last thing you can do is to use altq, feed the traffic into a low > bandwidth queue and still be able to serve other traffic. As you can't > control the downstream usage that way, you're at least able to limit > the response and slow down traffic that way a bit. I'm doing this for > SMTP traffic and it works great (I'm slowing down all SMTP traffic > from windows boxes to my home server to a maximum of 6 kBit/s - non > windows boxes are getting 40 kBit/s for SMTP connections, a bit too > rude, I know but it works). > > Keep in mind, if you're under a DDoS attack, your bandwidth may still > be eaten up, but the effects on your machine will be limited when > using S/SA + synproxy state + bandwidth limiting. > > If I get you wrong, please explain your problem a bit more detailed. > > HTH > > Volker > Thank you for the tip. Here what I'm using which fixed the issue. pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload <bruteforce> flush global) pass out proto tcp to any keep state Comments? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0705180656l4f601c1av45b6f9989792ccf1>