Date: Wed, 25 Sep 2013 10:58:12 -0700 From: Charles Swiger <cswiger@mac.com> To: NetOps Admin <netops.admin@epsb.ca> Cc: freebsd-ipfw@freebsd.org Subject: Re: stopping an attack (fraggle like) Message-ID: <68FFEAB0-055E-4BDF-85E5-F5C1EF26B3C1@mac.com> In-Reply-To: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com> References: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Sep 25, 2013, at 10:23 AM, NetOps Admin <netops.admin@epsb.ca> wrote: > Hi, > We are currently getting hit with a DoS attack that looks very > similar to a Fraggle attack. We are seeing a large amount of UDP = traffic > coming at us from thousands of hosts. The source UDP port is 19 = (chargen) > and when it hits it consumes a 2Gb/s link. OK. You should get your ISP or whatever upstream connectivity provider = to filter out the malicious traffic before it hits your 2Gb/s link. > Our main router is a FreeBSD server with ipfw installed. I have > tried blocking UDP port 19 incoming from the internet in a firewall = rule > but the UDP packets are very large and they are followed by a number = of > fragmented packets. I think that even though I am blocking port 19, = the > fragmented packets are getting though and eating up the bandwidth. Right...filtering this UDP traffic on your side is already too late, = because your bandwidth is already being chewed up. > I am a little hesitant of using a UDP deny rule with "keep-state" = to > try and block the following fragmented packets. I don't want to cause > memory issues. Assuming PMTUD is working, it's not normal to receive any significant # = of fragmented packets over the WAN. Normally you only get them for local = net traffic, ie, NFS using 64K UDP packet size or similar. You can likely drop fragmented UDP traffic entirely, although it won't = help much because your bandwidth is still being used. > Can I use keep-state with a deny rules? Will it have issues if I = use > keep-state to track thousands of hosts in a saturated 2 Gb/s link? I believe yes and no, respectively; on the other hand, doing stateful = tracking of DoS traffic which you want to discard doesn't strike me as very = useful, either. > Any ideas on how others are controlling this? You need to filter the malicious traffic before it hits your pipe, as = much as possible. Your ISP should be willing to help make that happen; on a good day, they = might even try to block ingress of the malicious traffic before it wastes their = resources, rather than just working to filter the last step before your pipe. Regards, --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?68FFEAB0-055E-4BDF-85E5-F5C1EF26B3C1>