how to know if i'm under flood?
James Bowman Sineath, III
sineathj1 at citadel.edu
Tue Aug 30 00:32:18 GMT 2005
> Thanks for reply!
> If u have more experience, please give some example about what sysctl
> variable to set,
There are a variety of them, I can give you a few examples of ones that I
set but depending upon the attack and what it is targetting, they may
proveto be ineffective. Keep in mind that there are a variety of different
DoS attacks that target a variety of different services or protocols. Look
at some of the following variables:
net.inet.tcp.blackhole, net.inet.udp.blackhole,net.inet.icmp.drop_redirects,
net.inet.icmp.log_redirects,net.link.ether.inet.max_age,
net.inet.tcp.sendspace,
net.inet.tcp.recvspace,net.inet.tcp.always_keepalive, kern.ipc.maxsockets,
kern.ipc.maxsockbuf,net.inet.ip.rtexpire, net.inet.ip.rtminexpire,
kern.ipc.somaxconn
I don't want to tell you what to set the values to because many of them vary
depending upon the type of attack, stats on the box and the purpose of the
machine. There are also a variety of others you can use, those are just some
examples.
>and wich ipfw rules can prevent DoS.
Keep in mind that denial of service attacks do not always come in the form
of a flood. Often times it can be a few specially crafted packets that
causes a service to crash or consume memory, so it is vital that you keep
all of your software updated and watch for security advisories. I would
advise you to read about the different types of firewalls available and
choose one that fits the purpose of your machine. I would recommend setting
up an inclusive firewall, you can read more on that in the handbook (there
is an example ruleset there I believe).
That being said, there isn't much you can do about floods. I never said that
using a firewall would PREVENT denial of service attacks, I simply said that
it would notify you when they were occuring. Also, be sure to setup your
rules so that if you do get flooded, your logs won't fill up so quickly that
it consumes your entire hard drive (set specific rules and use logamount x).
If you are having a problem with floods then the only other thing you can do
is have your ISP filter them out, the firewall rules on your box will prove
to be ineffective against high bandwidth floods.
Bow Sineath
Class of 2006, the Citadel
sineathj1 at citadel.edu - bow.sineath at gmail.com
More information about the freebsd-questions
mailing list