FreeBSD DDoS protection
James Howlett
jim.howlett at outlook.com
Sun Feb 10 17:34:21 UTC 2013
Kevin,
> That's very helpful to know. So at this time are you doing NAT from the router or simply passing all traffic and allowing the switch to sort it out?
>
There is no NAT on my router. The setup looks like that:
ISP--switch--FreeBSD-router---switch---firewall (nat, etc)
THe switch is basicly one device with some vlans.
My outside conectivity is done by BGP, my internal routing is using OSPF as an IGMP protocol.
> You can google sflow for FreeBSD. There is an export tool for netflow which I have used that exports as sflow via a bridge type conversion. > Works incredibly well.
Great, I'll look into that. Could You recomend some flow display/analysis software?
> ICMP can be blocked safely but it does need to be specific. For example you can allow ping and disallow bogus ICMP. You can safely block, for example, UDP port 0 which is commonly attacked.
>
Ok.
> If you do not wish to make it public, it's fine. However, you can send me your current pf rules and I can take a look and provide some recommendations.
>
My firewall is basic and looks like that:
http://pastebin.com/JJbLxHTS
> Additionally, it would be good to know the switch you're using. I'm guessing since it's sflow that it's Juniper. There are some very useful ACL's that can be put in at the switch.
I have both juniper ex2200 and cisco 2960s at hand.
>
> However, if the BSD box is either live locking or crashing then you need to fix that first.
>
The BSD box drops network conectivity - OSPF fails first which causes my network to go offline.
The host itself is working - I can access in via iLOM.
> I would state that enabling polling can be done from the command line if it's already enabled in the kernel.
>
> Enabling polling in itself without tweaking it could likely increase your overall PPS limitations by 70%. So I recommend doing that immediately and just placing it on your public facing NIC first.
My ethernet cards use em driver. I can change it to igb cards in few weeks.
Is it save to enable pooling on a production system?
All best,
jim
More information about the freebsd-security
mailing list