From owner-freebsd-isp@FreeBSD.ORG  Sun Jun 29 21:37:43 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7592137B401
	for <freebsd-isp@freebsd.org>; Sun, 29 Jun 2003 21:37:43 -0700 (PDT)
Received: from mg2.xecu.net (mg2.xecu.net [216.127.136.223])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A95A643FF2
	for <freebsd-isp@freebsd.org>; Sun, 29 Jun 2003 21:37:42 -0700 (PDT)
	(envelope-from andy@xecu.net)
Received: by mg2.xecu.net (Postfix, from userid 1003)
	id C187F392BA4; Mon, 30 Jun 2003 00:37:41 -0400 (EDT)
Received: from thunder.xecu.net (thunder.xecu.net [216.127.136.208])
	by mg2.xecu.net (Postfix) with ESMTP
	id 8055839245D; Mon, 30 Jun 2003 00:37:41 -0400 (EDT)
Date: Mon, 30 Jun 2003 00:37:41 -0400 (EDT)
From: Andy Dills <andy@xecu.net>
To: "Allan Jude - ShellFusion.net Administrator" <dukemaster@shellfusion.net>
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4RatOouMvEOzXXL4aXw9/cKAAAAQAAAA3vNgIV2eRU6CkFFWyc+0xAEAAAAA@shellfusion.net>
Message-ID: <Pine.BSF.4.44.0306300028250.78038-100000@thunder.xecu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-isp@freebsd.org
cc: freebsd@psyxakias.com
Subject: RE: Shell Provider - DDoS Attacks - IPFW Ratelimiting
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2003 04:37:43 -0000

On Sun, 29 Jun 2003, Allan Jude - ShellFusion.net Administrator wrote:

> Using such 'limit src' firewall rules will not help you, my shell server
> quickly overran the maximum number of dynamic rules, even increasing the
> limit didn't make this plausable because there are 1000's of concurrent
> connections at any one time. If your traffic is small enough, it might
> be useful, but if you are using 10mb, or 100mb, it will easily blow your
> firewall away

Well, if you limit by individual IP, sure.

Don't use a full mask; try something like 0xffff0000, so that it's
limited per /16.

Don't forget to sysctl net.inet.ip.dummynet.expire to 1, and don't be
afraid to give net.inet.ip.fw.dyn_max a nice bump.


Regardless, this isn't how you deal with a DDoS...

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---