On Tue, Jul 1, 2014 at 7:23 PM, Mark van der Meulen <m...@fivenynes.com>
wrote:
> Try not to ever do the DDOS or DOS detection on the network device unless
> it is a device dedicated to doing such acts.
>
+1
>
> My recommendation and is something we do:
>
>
> - Don¹t use PF it is slow on FreeBSD - if you want to use PF, consider
> OpenBSD.
>
My own benchs regarding ipfw/pf and FreeBSD/OpenBSD:
http://dev.bsdrp.net/benchs/BSD.network.performance.TenGig.png
=> OpenBSD network stack, NIC drivers and pf don't support muli-core:
FreeBSD does.
>
> We currently use all open source tools to analyse data in real time and
> talk back to our BSDRP routers to perform RTBH, connection limiting,
> blocks, etc.
>
> The netfilter modules for connection limits and such like are handy when
> using it on a server especially if it¹s hosting con ten, however on
> routers which push large amounts of PPS it performs poorly and is a bit of
> a hack to be honest. I¹d avoid any of those kind of solutions even if they
> are available for PF or IPFW.
>
I try to avoid "statefull" firewall for protecting server farm: statefull
firewall was designed for protecting only "clients that initiate traffic to
unknown".
Try to put a statefull firewall in front of a DNS server as example: The
firewall will became the bottleneck long before the DNS server :-)
And regarding DOS/DDOS: Once it enter your pipe, it's too late. You should
check with your SP the solution they propose for filtering this traffic
before it came to you.
Regards,
Olivier
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Bsdrp-users mailing list
Bsdrp-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bsdrp-users
