dealing with DoS - practical tips & tools?

Dave Cottlehuber dch at skunkwerks.at
Fri Apr 3 15:36:51 UTC 2020


> On 4/3/20, Dave Cottlehuber <dch at skunkwerks.at> wrote:
> > yesterday I saw another mild DoS attack on our network. Typically we get UDP
> > floods and similar generic attacks, and also websocket-specific "layer 7"
> > attacks from random IPs.
>
On Fri, 3 Apr 2020, at 15:00, David Mehler wrote:
> Hello,
> 
> Where do you get your pf blocklists from?

Hi David,

funnily enough this pretty much nailed the layer7 stuff -- for the moment:

curl -#L \
  https://ip-ranges.amazonaws.com/ip-ranges.json \
  | jq -reC '.prefixes[].ip_prefix, .ipv6_prefixes[].ipv6_prefix' \
  | sort \
  | uniq \
  > /etc/pf.amazon

> As for an idea try fail2ban see if that helps.

That might be a bit tricky as not a lot of this is HTTP traffic, and logs are
not local to the box, but yes this is worth a look too. Perhaps I can get
info via pflog and feed this in as well.

I've found zeek as well, suricata, & will see if I can get anything useful
out of graylog which we already have in place.

A+
Dave


More information about the freebsd-questions mailing list