Date: Fri, 3 Apr 2020 08:53:06 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Dave Cottlehuber <dch@skunkwerks.at> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: dealing with DoS - practical tips & tools? Message-ID: <CAHu1Y73i0vFzAM5K56pAN3kSUnhoPFnykEFdUaaEZnTr7GUvEg@mail.gmail.com> In-Reply-To: <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com> References: <bb5105b4-78ab-4e6c-b4f6-70db867d690c@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 3, 2020 at 1:56 AM Dave Cottlehuber <dch@skunkwerks.at> wrote: yesterday I saw another mild DoS attack on our network. Typically we get > UDP floods and similar generic attacks, and also websocket-specific "laye= r > 7" attacks from random IPs. > > Typically a few applications go offline when sockets are exhausted, or > when their rate limiting kicks in hard. > > Currently my setup is naive: > > - pf with manual blocklists as required > - haproxy for layer7 blocklists > - off-server logs indexed in graylog > > Which is pretty limited in both understanding what's happening *right > now*, and also doing anything other than manual reaction to issues, *afte= r* > they impact users. > > ... > > Are there any FreeBSD tools that people could recommend? Any tunables tha= t > help with resilience? > I can't help with pf, since I use ipfw, but... I use gRED / RED courtesy of Dummynet. Depending on where you apply the pipe, it helps a great deal with things like DDoD where blocking IP addresses doesn't reduce the traffic a whit. --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73i0vFzAM5K56pAN3kSUnhoPFnykEFdUaaEZnTr7GUvEg>