Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jan 2003 03:56:51 +0300 (MSK)
From:      "."@babolo.ru
To:        Josh Brooks <user@mail.econolodgetulsa.com>
Cc:        Lars Eggert <larse@ISI.EDU>, freebsd-net@FreeBSD.ORG
Subject:   Re: Need help dealing with (D)DoS attacks (desperately)
Message-ID:  <200301060056.h060uq2J046966@aaz.links.ru>
In-Reply-To: <20030105132545.I80512-100000@mail.econolodgetulsa.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> Hello,
> 
> Ok, right now this second, everything is normal, I am not under attack
> AFAIK, and everything is working wonderfully - and when I run top I see:
> 
> 21 processes:  1 running, 20 sleeping
> CPU states:  0.0% user,  0.0% nice,  0.0% system, 41.7% interrupt, 58.3%
> idle
> Mem: 6812K Active, 43M Inact, 28M Wired, 28K Cache, 35M Buf, 170M Free
> Swap: 128M Total, 128M Free
> 
> and it fluctuates between 20-60% idle
> 
> So it does look like the cpu is ... being used :)  uptime tells me:
> 
> # uptime
>  1:22PM  up 20 days, 11:52, 2 users, load averages: 0.02, 0.01, 0.00
> 
> -----
> 
> ipfw rules:
> 
> # ipfw show | wc -l
>      927
> 
> So, I have 927 ipfw tules in place - but I am guessing that about 800 of
> those rules are just "count" rules for me to count bandwidth:
> 
> 001 164994 120444282 count ip from any to 10.10.10.10
> 002 158400 16937232 count ip from 10.10.10.10 to any
> 
> ------
> 
> CPU is a ... celeron 500 ?  600 ?  Something like that, and I have 256
> megs ram.
> 
> More infomration:  although it looks like I am using a lot of cpu, and do
> indeed have a lot of ipfw rules, I _do know_ that it was an attack, as it
> was aimed at IPs running very high profile services (ircd, etc.) that have
> been targets in the past.  We filtered those IPs and the problem went away
> instantly.
I administrate big (~1000 users each) nets.

Without such a rules at the begin ipwf ruleset:

02300      96121   77175703 pipe 2300 ip from X.X.X.X/24 to any in recv xl1
02300      26528   17986211 pipe 2300 ip from Y.Y.Y.Y/24 to any in recv xl3
02300      27044   21370476 pipe 2300 ip from Z.Z.Z.Z/24 to any in recv xl4

router was unstable because of great number of rules: <*1>
Pipes restricts per IP address, in my case: <*2>
!Place pipe rules at the ruleset begin to protect
your router from flood!

Another tips:
Remember, that routed packets goes through
the ruleset twice, write rules to optimize
CPU usage.

Use special tools to collect traffic.
I use argus - it is beautiful trafic
auditing tool and costs less cpu.
It behavies better under overload
because of much work done in userland.

Sorry my bad English.
Ask when need help.
--

<*1>
0sw~(1)#ipfw show | wc
     435    4868   41602
0rw~(1)#ipfw show | wc
    1917   19228  153479
0gw~(1)#ipfw show | wc
     317    3480   34721
So on.
Some rules are very wide (ipfw2 specific)

<*2>
0kw~(1)#ipfw pipe show
02300:   3.200 Mbit/s    0 ms  30 KB 44 queues (1024 buckets) droptail
    mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
.... different pipes for different user classes

In your case you probably need in another direction tube:
0x00000000/0x0000 -> 0xffffffff/0x0000

-- 
@BABOLO      http://links.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301060056.h060uq2J046966>