Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am unsure of your connection I cannot recommend specifics. However, it is best to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw and do some straight forward deny/allow + source spoof settings.
Above all, don't go overboard with firewall configuration. People often try to do far too much tracking/packet rate limiting, etc. It just burns up free resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all console/ssh access except to that IP. Same here, a simple host deny will satisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps connection with legit traffic and block most high PPS floods as long as they don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certainly limitations even in 1Gbps cases... Though, you can't plan for everything - the best you can do is be prepared for the majority of general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm not even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" <jim.howl...@outlook.com> wrote: > Hi, > > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network > from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as > possible. > Even if I'am not able to prevent or block a ddos I would like to get some > info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. > > Any help would be great. > > All best, > jim > > _______________________________________________ > freebsd-...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscr...@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
