Date: Wed, 25 Sep 2013 15:56:04 -0600 From: "Joe Thompson" <jt@dhtcolorado.com> To: "Charles Swiger" <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: stopping an attack (fraggle like) Message-ID: <9134141EFB6B1E4E96DE9D17DC6861FA146263@Tubastrea.cs.dancinghorsetechnology.com> In-Reply-To: <CAOWR6cA8EAJidMruz5s6E%2BvyNSO4REJoiBke1WTFQHZy-D14Xg@mail.gmail.com> References: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com> <68FFEAB0-055E-4BDF-85E5-F5C1EF26B3C1@mac.com> <CAOWR6cA8EAJidMruz5s6E%2BvyNSO4REJoiBke1WTFQHZy-D14Xg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You might give another call to the ISP and see if they can at least do a basic switch ACL to drop UDP to port 19, I typically have not had too many problems requesting this. You may also want to make sure any rules on your side use a drop verses a reject mechanism to avoid backscatter killing your uplink. In cases such as these it can often become an impossible task to deflect without ISP support, might be time to pull that service level agreement. ~J -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of NetOps Admin Sent: Wednesday, September 25, 2013 3:52 PM To: Charles Swiger Cc: freebsd-ipfw@freebsd.org Subject: Re: stopping an attack (fraggle like) On Wed, Sep 25, 2013 at 11:58 AM, Charles Swiger <cswiger@mac.com> wrote: > Hi-- > > On Sep 25, 2013, at 10:23 AM, NetOps Admin <netops.admin@epsb.ca> wrote: > > Hi, > > We are currently getting hit with a DoS attack that looks very > > similar to a Fraggle attack. We are seeing a large amount of UDP=20 > > traffic coming at us from thousands of hosts. The source UDP port=20 > > is 19 > (chargen) > > and when it hits it consumes a 2Gb/s link. > > OK. You should get your ISP or whatever upstream connectivity=20 > provider to filter out the malicious traffic before it hits your 2Gb/s link. > My ISP is only able to filter out based on the attacking IP address. They did offer to block the IP if I can identify who is attacking us. This doesn't help in the case of a Fraggle attack where I don't see the initial attacker and the attack is hitting me from a few thousand IP's. > > > Our main router is a FreeBSD server with ipfw installed. I=20 > > have tried blocking UDP port 19 incoming from the internet in a=20 > > firewall rule but the UDP packets are very large and they are=20 > > followed by a number of fragmented packets. I think that even=20 > > though I am blocking port 19, the fragmented packets are getting though and eating up the bandwidth. > > Right...filtering this UDP traffic on your side is already too late,=20 > because your bandwidth is already being chewed up. > That is the problem. I am trying to affect it from my end since my my ISP can;t help in this situation. I guess this is really not an option. ;( ---- Kirk _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9134141EFB6B1E4E96DE9D17DC6861FA146263>