Date: Wed, 25 Sep 2013 11:23:21 -0600 From: NetOps Admin <netops.admin@epsb.ca> To: freebsd-ipfw@freebsd.org Subject: stopping an attack (fraggle like) Message-ID: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
We are currently getting hit with a DoS attack that looks very
similar to a Fraggle attack. We are seeing a large amount of UDP traffic
coming at us from thousands of hosts. The source UDP port is 19 (chargen)
and when it hits it consumes a 2Gb/s link.
Our main router is a FreeBSD server with ipfw installed. I have
tried blocking UDP port 19 incoming from the internet in a firewall rule
but the UDP packets are very large and they are followed by a number of
fragmented packets. I think that even though I am blocking port 19, the
fragmented packets are getting though and eating up the bandwidth.
I am a little hesitant of using a UDP deny rule with "keep-state" to
try and block the following fragmented packets. I don't want to cause
memory issues.
Can I use keep-state with a deny rules? Will it have issues if I use
keep-state to track thousands of hosts in a saturated 2 Gb/s link?
Any ideas on how others are controlling this?
Thanks
----- Kirk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ>