Date: Wed, 25 Sep 2013 11:23:21 -0600 From: NetOps Admin <netops.admin@epsb.ca> To: freebsd-ipfw@freebsd.org Subject: stopping an attack (fraggle like) Message-ID: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, We are currently getting hit with a DoS attack that looks very similar to a Fraggle attack. We are seeing a large amount of UDP traffic coming at us from thousands of hosts. The source UDP port is 19 (chargen) and when it hits it consumes a 2Gb/s link. Our main router is a FreeBSD server with ipfw installed. I have tried blocking UDP port 19 incoming from the internet in a firewall rule but the UDP packets are very large and they are followed by a number of fragmented packets. I think that even though I am blocking port 19, the fragmented packets are getting though and eating up the bandwidth. I am a little hesitant of using a UDP deny rule with "keep-state" to try and block the following fragmented packets. I don't want to cause memory issues. Can I use keep-state with a deny rules? Will it have issues if I use keep-state to track thousands of hosts in a saturated 2 Gb/s link? Any ideas on how others are controlling this? Thanks ----- Kirk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ>