James, That's very helpful to know. So at this time are you doing NAT from the router or simply passing all traffic and allowing the switch to sort it out?
You can google sflow for FreeBSD. There is an export tool for netflow which I have used that exports as sflow via a bridge type conversion. Works incredibly well. ICMP can be blocked safely but it does need to be specific. For example you can allow ping and disallow bogus ICMP. You can safely block, for example, UDP port 0 which is commonly attacked. If you do not wish to make it public, it's fine. However, you can send me your current pf rules and I can take a look and provide some recommendations. Additionally, it would be good to know the switch you're using. I'm guessing since it's sflow that it's Juniper. There are some very useful ACL's that can be put in at the switch. However, if the BSD box is either live locking or crashing then you need to fix that first. I would state that enabling polling can be done from the command line if it's already enabled in the kernel. Enabling polling in itself without tweaking it could likely increase your overall PPS limitations by 70%. So I recommend doing that immediately and just placing it on your public facing NIC first. Thanks, Kevin On Feb 10, 2013, at 3:07 AM, "James Howlett" <jim.howl...@outlook.com> wrote: > Hello, > > Kevin, thank You for the information. > >> FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am >> unsure of your connection I cannot recommend specifics. However, it is best >> to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw >> and do some straight forward deny/allow + source spoof settings. >> >> Above all, don't go overboard with firewall configuration. People often try >> to do far too much tracking/packet rate limiting, etc. It just burns up free >> resources. > > Let me tell You a bit about my setup. All my connections to ISP's are > 1Gigabit each. > They are terminated on a my switch, and the router is connected to that > switch. > >> Deny all ICMP (drop I mean) and UDP except where specifically required. > > Is droping ICMP really helpful? I can limit ICMP only to my monitoring host - > that is no problem. > >> And just do general hardening... Get yourself a static IP or VPN. Deny all >> console/ssh access except to that IP. Same here, a simple host deny will >> satisfy this need. > > This is already done. I also have out of band management to my router over a > different network connection. If all my ISP's fail I can still connect to > that router. > >> The less you do with the firewall (routing/blocking/inspecting) the better. >> >> Drop drop drop ;) >> >> In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps >> connection with legit traffic and block most high PPS floods as long as they >> don't saturate the link. > > I have the following ethernet cards in my router: > device = '82579LM Gigabit Network Connection' > device = '82571EB Gigabit Ethernet Controller' > device = '82571EB Gigabit Ethernet Controller' > device = '82574L Gigabit Network Connection' > > but at this moment I use only the 82571EB model. > >> I have ran similar configurations in 10Gbps scenarios and there are >> certainly limitations even in 1Gbps cases... Though, you can't plan for >> everything - the best you can do is be prepared for the majority of general >> UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. > > At this moment an attack on 80 port kills my network connection with the > number of PPS. 200000 is reached in a second and the router can't proccess > any new connections. > >> I'm actually at dinner so I apologize for the lack of further detail. I'm >> not even certain this makes sense but hopefully it helps. > > There is nothing to apologize for - You are most helpful. > >> I have my configs which I can send by tomorrow if needed. (For examples) > > That would be great. > > All best, > Jim > > > _______________________________________________ > freebsd-...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscr...@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
