FreeBSD DDoS protection

[James Howlett]

Hello,

 
> I think you'll get some better input if you address some of what Kevin noted above.  What firewall (if any) is in place?  What rules are currently in place? What tuning have you done so far?  Is polling enabled?

1. I use pf on the router.
2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewall  
So as long as my router can proccess the traffic I'll can manage all the rest (eg. customer firewalls, zoning etc) on my Juniper hardware.
3. The rules at the moment just filter SSH connections to the router. 
4. I'm looking into enabling pooling, but I need to test it before it goes to production.


> 
> When you get hit, you mentioned it's 200K pps, how much bandwidth?  How many different source IPs?

Hard to say at the moment, but it was a DDoS for sure. Multiple hosts connecting to one single port on a single machine.
 
> I know on a "real" router, having Netflow configured and dumping info to a host for analysis is very helpful - I can at least see what's being targetted and ask my upstreams to null route the attacked IP at their edges.  I don't know if there's a good netflow exporter available for FreeBSD that won't hurt more than it helps.

I can collect sFlow from my switch so that should do it. What software would You recomend for netflow analysis?

 Jim