Hi.
I am running this as my firewall/router:
4.4-RELEASE FreeBSD 4.4-RELEASE #0
And I have no ability to change that anytime soon. Recently I have been
having a lot of trouble with floods/ddos/etc. When these attacks occur,
my firewall is totally unresponsive, I cannot ssh in to type a single
> On 1/5/2003 1:05 PM, Josh Brooks wrote:
> >
> > I am running this as my firewall/router:
> >
> > 4.4-RELEASE FreeBSD 4.4-RELEASE #0
> >
> > And I have no ability to change that anytime soon. Recently I have been
> > having a lot of trouble with floods/
hanks a LOT.
On Sun, 5 Jan 2003, Lars Eggert wrote:
> On 1/5/2003 1:05 PM, Josh Brooks wrote:
> >
> > I am running this as my firewall/router:
> >
> > 4.4-RELEASE FreeBSD 4.4-RELEASE #0
> >
> > And I have no ability to change that anytime soon. Recently I have
Alternatively, is getting a much faster CPU (p3 1.6g ?) a "big hammer"
that solves problems related to the number of rules being parsed for each
packet ?
Just curious.
On Sun, 5 Jan 2003, Barney Wolff wrote:
> On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote:
> >
Hello,
With the help of people in this group I have largely solved my problems -
by simply placing in rules to drop all packets except the ones going to
ports/services that are actually in use on the destination, I have found
that even during a large attack (the kinds that used to cripple me) I h
My goal is to protect my FreeBSD firewall. As I mentioned, now that I
have closed off everything to the victim except the ports he is actually
running services on, everything is great! The firewall is just fine -
even during a big syn flood, because it just drops all the packets that
aren't goin
o
when syn floods no longer do the job ?
thanks!
On Fri, 10 Jan 2003, Jess Kitchen wrote:
> On Fri, 10 Jan 2003, Josh Brooks wrote:
>
> > My goal is to protect my FreeBSD firewall. As I mentioned, now that I
> > have closed off everything to the victim except the ports he is actu
ess of what they conclude from this, what is the standard "next
> > step" ? If they are just flooders/packeteers, what do they graduate to
> > when syn floods no longer do the job ?
> >
> > thanks!
> >
> > On Fri, 10 Jan 2003, Jess Kitchen wrote:
> >
What would you run on a different server to do traffic estimation ? How
would you do such a thing ?
thanks.
On Sat, 11 Jan 2003 [EMAIL PROTECTED] wrote:
> > Well, my "router" is the freebsd machine - celeron 500 and 256 megs.
> >
> > Where would you suggest doing bandwidth counts for all of my
gen wrote:
> On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote:
> >
> > But, I am concerned ... I am concerned that the attacks will simply
> > change/escalate to something else.
> >
> > If I were a script kiddie, and I suddenly saw that all of my ga
Hi,
After reading some more documents on DoS attacks (namely
http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there
are two nice mechanisms to thwart a large number of ack and syn floods.
First, it turns out (from the paper I mention above) that most of the SYN
flood tools ou
> also, ipfw can match packets by ack#. i've used this as criteria for a
> dummynet pipe rule in the past.
Great - that is just what I am looking for - so I can drop all packets
with an ack of zero.
Can someone show me an example rule of said behavior ?
To Unsubscribe: send mail to [EMAIL PROT
My goal is to create an ipfw rule that stops normal syn floods by blocking
ALL syn packets that have no MSS set.
My understanding is that there is no legitimate packet that is a SYN and
has no MSS, and further, most of the kiddie tools in existence for syn
flooding do indeed send syn packets with
I have inserted this ipfw rule, based on guidance from the archives:
count icmp from any to any icmptype 4,5,9,10,12,13,14,15,16,17,18
Now, I am watching that count rule, and it keeps growing. This means that
people are sending me packets other than types 0,3,8,11.
So I wanted to see what they
ipfw1
On Fri, 24 Jan 2003, Luigi Rizzo wrote:
> is this with ipfw1 or ipfw2 or both ?
>
> cheers
> luigi
>
> On Fri, Jan 24, 2003 at 03:56:54AM -0800, Josh Brooks wrote:
> >
> > I have inserted this ipfw rule, based on guidance from the archives:
>
Hello,
I have recently upgraded to ipfw2 running on 4.7-RELEASE. It seems to
be working fine.
However, my count rules ... aren't working well at all. I have clear and
correct testing that shows that many count rules do not increment at all
when traffic is clearly flowing. For instance:
count
Hello,
I am successfully running ipfw2 in FreeBSD 4.7-RELEASE. Everything seems
fine, but it seems like the stats on each of the rules are just _way way_
low. On all rules I notice this.
for instance:
65123 556880155 55168583654 allow ip from any to any
This shows 55 gigabytes of total trans
No, it should be catching much more than it shows.
Also many other rules that are quite specific are very very deflated. I
will do some real tests later today with firm numbers.
On Tue, 4 Mar 2003, Luigi Rizzo wrote:
> On Mon, Mar 03, 2003 at 03:03:58PM -0800, Josh Brooks wr
Hello,
I used to have a firewall with ipfw count rules in place for every IP I
had. This worked fine, but it gave me a 2000+ ruleset that would cause
cpu to skyrocket under even the lightest of DoS attacks.
So, I have plugged in another system on the DMZ and plan to count from
there.
In the mo
Hi,
If I create two ipfw rules with the same ID:
ipfw add 00022 deny ip from x to y
ipfw add 00022 allow ip from z to b
they will both be there, and both work ... but is it possible to remove
just one of them wihout removing the other ? Right now I am doing a hack
with a ";"
ipfw del 00022 ;
On Tue, 9 Sep 2003, Luigi Rizzo wrote:
> no, it is not possible to delete them -- you have no way to tell
> which rule to delete when multiple rules share the same number.
Are there any plans to make ipfw more flexible by changing the 65535 to
the next power of two ? So there are a lot more r
Whenever I run:
tcpdump -vvv
when I am finished, I am surprised to see:
27441 packets received by filter
7866 packets dropped by kernel
I have pored over the tcpdump man page, but do not see how to tell it to
not drop any of the packets.
What is the purpose behind this ? I can't think of any
22 matches
Mail list logo
