Date: Sun, 5 Jan 2003 13:31:24 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: Lars Eggert <larse@ISI.EDU> Cc: freebsd-net@freebsd.org Subject: Re: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105132545.I80512-100000@mail.econolodgetulsa.com> In-Reply-To: <3E18A1BA.8000607@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
Ok, right now this second, everything is normal, I am not under attack
AFAIK, and everything is working wonderfully - and when I run top I see:
21 processes: 1 running, 20 sleeping
CPU states: 0.0% user, 0.0% nice, 0.0% system, 41.7% interrupt, 58.3%
idle
Mem: 6812K Active, 43M Inact, 28M Wired, 28K Cache, 35M Buf, 170M Free
Swap: 128M Total, 128M Free
and it fluctuates between 20-60% idle
So it does look like the cpu is ... being used :) uptime tells me:
# uptime
1:22PM up 20 days, 11:52, 2 users, load averages: 0.02, 0.01, 0.00
-----
ipfw rules:
# ipfw show | wc -l
927
So, I have 927 ipfw tules in place - but I am guessing that about 800 of
those rules are just "count" rules for me to count bandwidth:
001 164994 120444282 count ip from any to 10.10.10.10
002 158400 16937232 count ip from 10.10.10.10 to any
------
CPU is a ... celeron 500 ? 600 ? Something like that, and I have 256
megs ram.
More infomration: although it looks like I am using a lot of cpu, and do
indeed have a lot of ipfw rules, I _do know_ that it was an attack, as it
was aimed at IPs running very high profile services (ircd, etc.) that have
been targets in the past. We filtered those IPs and the problem went away
instantly.
So again, what should I be looking to add ? Before my list included only
the syn/fin protection, and now I am being told to block all icmp types
besides 0,3,8,11. Any other thoughts ?
thanks!
On Sun, 5 Jan 2003, Lars Eggert wrote:
> On 1/5/2003 1:05 PM, Josh Brooks wrote:
> >
> > I am running this as my firewall/router:
> >
> > 4.4-RELEASE FreeBSD 4.4-RELEASE #0
> >
> > And I have no ability to change that anytime soon. Recently I have been
> > having a lot of trouble with floods/ddos/etc. When these attacks occur,
> > my firewall is totally unresponsive, I cannot ssh in to type a single
> > command (and thus cannot tcpdump anything) and clients of systems on the
> > inside either get no response, or get:
>
> What processor and NICs do you use? This sounds like your machine is
> being pushed into livelock, which shouldn't happen at the traffic load
> you described (when you say "megs", do you mean Mb/s or MB/s?)
> Complicated firewall rule sets also eat CPU time.
>
> Lars
> --
> Lars Eggert <larse@isi.edu> USC Information Sciences Institute
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105132545.I80512-100000>