Re: Best way to decrease DDoS with pf.

Fri, 18 May 2007 06:56:17 -0700 

On 5/18/07, Volker <[EMAIL PROTECTED]> wrote:

> This isn't bandwidth issue, but filling the network buffer more than
> anything else, so there are no more free sockets, and I can't connect
> to the server via ssh, it's not syn as well.
>
> But mass connect to IRC server with small bw, and the server isn't
> lagged at all.
>
> Rate: 245,919 Packets Per Second
>
> What is the best way to deal with such DDoS?

Abdullah,

I'm not quite sure if I get you right.

if tcp traffic arrives without a SYN set, you can easily block that by
using 'pass ... flags S/SA' so the traffic never reaches your daemon.

Also for tcp traffic you may want to try 'synproxy state'.

The last thing you can do is to use altq, feed the traffic into a low
bandwidth queue and still be able to serve other traffic. As you can't
control the downstream usage that way, you're at least able to limit
the response and slow down traffic that way a bit. I'm doing this for
SMTP traffic and it works great (I'm slowing down all SMTP traffic
from windows boxes to my home server to a maximum of 6 kBit/s - non
windows boxes are getting 40 kBit/s for SMTP connections, a bit too
rude, I know but it works).

Keep in mind, if you're under a DDoS attack, your bandwidth may still
be eaten up, but the effects on your machine will be limited when
using S/SA + synproxy state + bandwidth limiting.

If I get you wrong, please explain your problem a bit more detailed.

HTH

Volker



Thank you for the tip.

Here what I'm using which fixed the issue.

pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
       flags S/SA keep state \
       (max-src-conn 30, max-src-conn-rate 30/3, \
        overload <bruteforce> flush global)
pass out proto tcp to any keep state

Comments?

--
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to