Hello,
Kevin, thank You for the information.
> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am
> unsure of your connection I cannot recommend specifics. However, it is best
> to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw
> and do some straight forward deny/allow + source spoof settings.
>
> Above all, don't go overboard with firewall configuration. People often try
> to do far too much tracking/packet rate limiting, etc. It just burns up free
> resources.
>
Let me tell You a bit about my setup. All my connections to ISP's are 1Gigabit
each.
They are terminated on a my switch, and the router is connected to that switch.
> Deny all ICMP (drop I mean) and UDP except where specifically required.
Is droping ICMP really helpful? I can limit ICMP only to my monitoring host -
that is no problem.
> And just do general hardening... Get yourself a static IP or VPN. Deny all
> console/ssh access except to that IP. Same here, a simple host deny will
> satisfy this need.
>
This is already done. I also have out of band management to my router over a
different network connection. If all my ISP's fail I can still connect to that
router.
> The less you do with the firewall (routing/blocking/inspecting) the better.
>
> Drop drop drop ;)
>
> In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps
> connection with legit traffic and block most high PPS floods as long as they
> don't saturate the link.
>
I have the following ethernet cards in my router:
device = '82579LM Gigabit Network Connection'
device = '82571EB Gigabit Ethernet Controller'
device = '82571EB Gigabit Ethernet Controller'
device = '82574L Gigabit Network Connection'
but at this moment I use only the 82571EB model.
> I have ran similar configurations in 10Gbps scenarios and there are certainly
> limitations even in 1Gbps cases... Though, you can't plan for everything -
> the best you can do is be prepared for the majority of general UDP/ICMP/TCP
> SYN or service specific attacks like SSH/FTP, etc.
>
At this moment an attack on 80 port kills my network connection with the number
of PPS. 200000 is reached in a second and the router can't proccess any new
connections.
> I'm actually at dinner so I apologize for the lack of further detail. I'm not
> even certain this makes sense but hopefully it helps.
>
There is nothing to apologize for - You are most helpful.
> I have my configs which I can send by tomorrow if needed. (For examples)
>
That would be great.
All best,
Jim
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
