Date: Wed, 25 Sep 2013 15:51:54 -0600 From: NetOps Admin <netops.admin@epsb.ca> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: stopping an attack (fraggle like) Message-ID: <CAOWR6cA8EAJidMruz5s6E%2BvyNSO4REJoiBke1WTFQHZy-D14Xg@mail.gmail.com> In-Reply-To: <68FFEAB0-055E-4BDF-85E5-F5C1EF26B3C1@mac.com> References: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com> <68FFEAB0-055E-4BDF-85E5-F5C1EF26B3C1@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 25, 2013 at 11:58 AM, Charles Swiger <cswiger@mac.com> wrote: > Hi-- > > On Sep 25, 2013, at 10:23 AM, NetOps Admin <netops.admin@epsb.ca> wrote: > > Hi, > > We are currently getting hit with a DoS attack that looks very > > similar to a Fraggle attack. We are seeing a large amount of UDP traffic > > coming at us from thousands of hosts. The source UDP port is 19 > (chargen) > > and when it hits it consumes a 2Gb/s link. > > OK. You should get your ISP or whatever upstream connectivity provider to > filter out the malicious traffic before it hits your 2Gb/s link. > My ISP is only able to filter out based on the attacking IP address. They did offer to block the IP if I can identify who is attacking us. This doesn't help in the case of a Fraggle attack where I don't see the initial attacker and the attack is hitting me from a few thousand IP's. > > > Our main router is a FreeBSD server with ipfw installed. I have > > tried blocking UDP port 19 incoming from the internet in a firewall rule > > but the UDP packets are very large and they are followed by a number of > > fragmented packets. I think that even though I am blocking port 19, the > > fragmented packets are getting though and eating up the bandwidth. > > Right...filtering this UDP traffic on your side is already too late, > because > your bandwidth is already being chewed up. > That is the problem. I am trying to affect it from my end since my my ISP can;t help in this situation. I guess this is really not an option. ;( ---- Kirk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOWR6cA8EAJidMruz5s6E%2BvyNSO4REJoiBke1WTFQHZy-D14Xg>