From owner-freebsd-net Sun Jan 5 16:55:37 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0544137B401 for ; Sun, 5 Jan 2003 16:55:35 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE61E43EC5 for ; Sun, 5 Jan 2003 16:55:33 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h060ursQ046967; Mon, 6 Jan 2003 03:56:53 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h060uq2J046966; Mon, 6 Jan 2003 03:56:52 +0300 (MSK) Message-Id: <200301060056.h060uq2J046966@aaz.links.ru> Subject: Re: Need help dealing with (D)DoS attacks (desperately) X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030105132545.I80512-100000@mail.econolodgetulsa.com> To: Josh Brooks Date: Mon, 6 Jan 2003 03:56:51 +0300 (MSK) From: "."@babolo.ru Cc: Lars Eggert , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Hello, > > Ok, right now this second, everything is normal, I am not under attack > AFAIK, and everything is working wonderfully - and when I run top I see: > > 21 processes: 1 running, 20 sleeping > CPU states: 0.0% user, 0.0% nice, 0.0% system, 41.7% interrupt, 58.3% > idle > Mem: 6812K Active, 43M Inact, 28M Wired, 28K Cache, 35M Buf, 170M Free > Swap: 128M Total, 128M Free > > and it fluctuates between 20-60% idle > > So it does look like the cpu is ... being used :) uptime tells me: > > # uptime > 1:22PM up 20 days, 11:52, 2 users, load averages: 0.02, 0.01, 0.00 > > ----- > > ipfw rules: > > # ipfw show | wc -l > 927 > > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > those rules are just "count" rules for me to count bandwidth: > > 001 164994 120444282 count ip from any to 10.10.10.10 > 002 158400 16937232 count ip from 10.10.10.10 to any > > ------ > > CPU is a ... celeron 500 ? 600 ? Something like that, and I have 256 > megs ram. > > More infomration: although it looks like I am using a lot of cpu, and do > indeed have a lot of ipfw rules, I _do know_ that it was an attack, as it > was aimed at IPs running very high profile services (ircd, etc.) that have > been targets in the past. We filtered those IPs and the problem went away > instantly. I administrate big (~1000 users each) nets. Without such a rules at the begin ipwf ruleset: 02300 96121 77175703 pipe 2300 ip from X.X.X.X/24 to any in recv xl1 02300 26528 17986211 pipe 2300 ip from Y.Y.Y.Y/24 to any in recv xl3 02300 27044 21370476 pipe 2300 ip from Z.Z.Z.Z/24 to any in recv xl4 router was unstable because of great number of rules: <*1> Pipes restricts per IP address, in my case: <*2> !Place pipe rules at the ruleset begin to protect your router from flood! Another tips: Remember, that routed packets goes through the ruleset twice, write rules to optimize CPU usage. Use special tools to collect traffic. I use argus - it is beautiful trafic auditing tool and costs less cpu. It behavies better under overload because of much work done in userland. Sorry my bad English. Ask when need help. -- <*1> 0sw~(1)#ipfw show | wc 435 4868 41602 0rw~(1)#ipfw show | wc 1917 19228 153479 0gw~(1)#ipfw show | wc 317 3480 34721 So on. Some rules are very wide (ipfw2 specific) <*2> 0kw~(1)#ipfw pipe show 02300: 3.200 Mbit/s 0 ms 30 KB 44 queues (1024 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 .... different pipes for different user classes In your case you probably need in another direction tube: 0x00000000/0x0000 -> 0xffffffff/0x0000 -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message