The way I've handled it to this point with my sites and it has worked well is various firewalls (mostly OpenBSD PF is what I use) allow you to establish what an overload looks like. so I set mine up that if you establish 10 connections in 5 seconds it tosses you onto the overload list and just does a silent drop of all traffic from the offender for an hour. It has worked to stop most SSH brute force attempts dead, and works on most DoS and DDoS attacks. Where the limits of this method come in is connection saturation. -- Jason Barbier | E: jab...@serversave.us GPG Key-ID: B5F75B47(http://kusuriya.devio.us/pubkey.asc) On Wed, Mar 23, 2016, at 07:45 AM, john boris wrote: > Here at $WORK a few of our sites that use the same ISP have been > targets of DOS attacks at random times. Part of my department handles > the network to our sites and the ISPs answer has been to just change > the external IP. Which stems the tide for a bit but it will rear its > head again in a short time. The attacks continue for a time then stop > then start up again. > > I have been searching the net on this topic but I have not found what > I am looking for. We are a fledgling group in this area (By way of > reorganization and decentralization) and as the Grey Beard of the > group I have taken it on the roll as the person looking for solutions. > > What I am looking for is what people have done to try and stave off an > attack. I know it is a moving target but I am looking for tools that > help monitoring the traffic to alert us when the traffic gets to a > certain point, also best practices on setting up a good defense. > > I have read a bunch of articles that tell me what to do but I would > like to see how its done. > Example: > 1. Use this tool to monitor traffic > 2. Setup the firewall this way to this if A happens , B if this > IP etc. > > If you want to talk offline on this it is fine. I just want to find a > better way than changing our Public IP for our ISP each time. That > just strikes me as changing my phoe number to stop crank calls. > > Thanks in advance. > > -- > John J. Boris, Sr. > > _________________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
