FreeBSD DDoS protection

khatfield at socllc.net khatfield at socllc.net
Sun Feb 10 02:06:34 UTC 2013 

Luckily,
FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am unsure of your connection I cannot recommend specifics. However, it is best to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw and do some straight forward deny/allow + source spoof settings.

Above all, don't go overboard with firewall configuration. People often try to do far too much tracking/packet rate limiting, etc. It just burns up free resources.

Deny all ICMP (drop I mean) and UDP except where specifically required.

And just do general hardening... Get yourself a static IP or VPN. Deny all console/ssh access except to that IP. Same here, a simple host deny will satisfy this need.

The less you do with the firewall (routing/blocking/inspecting) the better.

Drop drop drop ;)

In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps connection with legit traffic and block most high PPS floods as long as they don't saturate the link.

I have ran similar configurations in 10Gbps scenarios and there are certainly limitations even in 1Gbps cases... Though, you can't plan for everything - the best you can do is be prepared for the majority of general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc.

I'm actually at dinner so I apologize for the lack of further detail. I'm not even certain this makes sense but hopefully it helps.

I have my configs which I can send by tomorrow if needed. (For examples)

Best of luck!
-Kevin


On Feb 9, 2013, at 5:31 PM, "James Howlett" <jim.howlett at outlook.com> wrote:

> Hi,
> 
> I have a router running BGP and OSPF (bird) on FreeBSD.
> Are there any best practises one can take in order to protect the network from DDoS attacks.
> I know this isn't easy. But I would like to secure my network as much as possible.
> Even if I'am not able to prevent or block a ddos I would like to get some info (snmp trap parhaps) regarding the attack.
> Then I can contact my ISP or install an ACL on my router.
> 
> Any help would be great.
> 
> All best,
> jim
>                         
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list