pf to block against DDoS?

Redd Vinylene reddvinylene at gmail.com
Mon Sep 22 04:54:59 UTC 2008 

> > > > From: Redd Vinylene <reddvinylene at ...>
> > > > To: <questions at ...>, <misc at ...>
> > > > Subject: pf to block against DDoS?
> > > > Date: Thursday, September 4, 2008 - 3:23 pm
> > > >
> > > > Hello hello!
> > > >
> > > > I was quite shocked today when I heard I could use pf to block
against DDoS
> > > > attacks, using Stateful Tracking Options,
> > > > http://www.openbsd.org/faq/pf/filter.html#stateopts.
> > > >
> > > > But does anybody have any nice setups of this they'd want to share?
> > > >
> > >
> > > From: Oliver Peter <lists at ...>
> > > To: Redd Vinylene <reddvinylene at ...>
> > > Cc: <questions at ...>, <misc at ...>
> > > Subject: Re: pf to block against DDoS?
> > > Date: Thursday, September 4, 2008 - 4:20 pm
> > >
> > > ... nice cross-post.
> > >
> > > I can recommend reading through this as well:
> > >   http://www.bgnett.no/~peter/pf/en/bruteforce.html
> > >
> > > --
> > > Oliver PETER, email: oliver at peter.de.com, ICQ# 113969174
> > > "If it feels good, you're doing something wrong."
> > >                                       -- Coach McTavish
> > >
> >
> > From: Peter N. M. Hansteen <peter at ...>
> > To: Oliver Peter <lists at ...>
> > Cc: Redd Vinylene <reddvinylene at ...>, <questions at ...>, <misc at ...>
> > Subject: Re: pf to block against DDoS?
> > Date: Friday, September 5, 2008 - 1:54 am
> >
> > Thanks for recommending that!  However I would generally recommend the
> > maintained version which is up at &lt;http://home.nuug.no/~peter/pf/&gt
;,
> > with the direct link to the part about state tracking and bruteforcers
> > at &lt;http://home.nuug.no/~peter/pf/en/bruteforce.html&gt;.
> >
> > (and of course there's the book, nudge, nudge)
> >
> > - P
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> >
> From: Lars Noodén <larsnooden at ...>
> To: Oliver Peter <lists at ...>
> Cc: Redd Vinylene <reddvinylene at ...>, <misc at ...>
> Subject: Re: pf to block against DDoS?
> Date: Thursday, September 4, 2008 - 4:50 pm
>
> You can also use two tables so that the first overload gets shunted to a
> slow queue and given a second chance before ending up in the second
> table which gets blocked.
>
> -Lars

Much obliged to all y'all gentlemen for your valuable design insight.

Now, is there anything more I can do to secure my webserver from attacks? Or
perhaps my pf.conf can be simplified / beautified?

Peter N. M. Hansteen: Did I follow your tutorial correctly?

Lars Noodén: Would you happen to have an example of that?

My pf.conf now looks like this:

-

ext_if = "rl0"

int_if = "ep0"

set block-policy return

set skip on { lo0 }

scrub in

table <bruteforce> persist

nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $ext_if proto tcp from any to any port 30000 -> 192.168.187.2 port
30000

pass out keep state

pass quick on $int_if

block in

block quick from <bruteforce>

pass in on $ext_if inet proto tcp from any to any port { 20, 21, 25, 53,
113, 30000:35000 } keep state (max-src-conn 100, max-src-conn-rate 15/5,
overload <bruteforce> flush global)

pass in on $ext_if inet proto tcp from any to any port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

pass in on $ext_if inet proto udp from any to any port 53 keep state

pass in on $ext_if inet proto icmp from any to any keep state

-

Have a great week! Cheers!

-- 
http://www.home.no/reddvinylene

More information about the freebsd-questions mailing list