how to know if i'm under flood?

James Bowman Sineath, III sineathj1 at citadel.edu
Tue Aug 30 00:32:18 GMT 2005 

> Thanks for reply!
> If u have more experience, please give some example about what sysctl
> variable to set,
There are a variety of them, I can give you a few examples of ones that I 
set but depending upon the attack and what it is targetting, they may 
proveto be ineffective. Keep in mind that there are a variety of different 
DoS attacks that target a variety of different services or protocols. Look 
at some of the following variables:
net.inet.tcp.blackhole, net.inet.udp.blackhole,net.inet.icmp.drop_redirects, 
net.inet.icmp.log_redirects,net.link.ether.inet.max_age, 
net.inet.tcp.sendspace, 
net.inet.tcp.recvspace,net.inet.tcp.always_keepalive, kern.ipc.maxsockets, 
kern.ipc.maxsockbuf,net.inet.ip.rtexpire, net.inet.ip.rtminexpire, 
kern.ipc.somaxconn

I don't want to tell you what to set the values to because many of them vary 
depending upon the type of attack, stats on the box and the purpose of the 
machine. There are also a variety of others you can use, those are just some 
examples.

>and wich ipfw rules can prevent DoS.

Keep in mind that denial of service attacks do not always come in the form 
of a flood. Often times it can be a few specially crafted packets that 
causes a service to crash or consume memory, so it is vital that you keep 
all of your software updated and watch for security advisories. I would
advise you to read about the different types of firewalls available and 
choose one that fits the purpose of your machine. I would recommend setting 
up an inclusive firewall, you can read more on that in the handbook (there 
is an example ruleset there I believe).

That being said, there isn't much you can do about floods. I never said that 
using a firewall would PREVENT denial of service attacks, I simply said that 
it would notify you when they were occuring. Also, be sure to setup your 
rules so that if you do get flooded, your logs won't fill up so quickly that 
it consumes your entire hard drive (set specific rules and use logamount x). 
If you are having a problem with floods then the only other thing you can do 
is have your ISP filter them out, the firewall rules on your box will prove 
to be ineffective against high bandwidth floods.

Bow Sineath
Class of 2006, the Citadel
sineathj1 at citadel.edu - bow.sineath at gmail.com

More information about the freebsd-questions mailing list