FreeBSD DDoS protection

Charles Sprickman spork at bway.net
Sun Feb 10 21:08:28 UTC 2013 

On Feb 10, 2013, at 4:42 AM, James Howlett wrote:

> Hello,
> 
> 
>> I think you'll get some better input if you address some of what Kevin noted above.  What firewall (if any) is in place?  What rules are currently in place? What tuning have you done so far?  Is polling enabled?
> 
> 1. I use pf on the router.
> 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewall  
> So as long as my router can proccess the traffic I'll can manage all the rest (eg. customer firewalls, zoning etc) on my Juniper hardware.
> 3. The rules at the moment just filter SSH connections to the router. 
> 4. I'm looking into enabling pooling, but I need to test it before it goes to production.
> 
> 
>> 
>> When you get hit, you mentioned it's 200K pps, how much bandwidth?  How many different source IPs?
> 
> Hard to say at the moment, but it was a DDoS for sure. Multiple hosts connecting to one single port on a single machine.
> 
>> I know on a "real" router, having Netflow configured and dumping info to a host for analysis is very helpful - I can at least see what's being targetted and ask my upstreams to null route the attacked IP at their edges.  I don't know if there's a good netflow exporter available for FreeBSD that won't hurt more than it helps.
> 
> I can collect sFlow from my switch so that should do it. What software would You recomend for netflow analysis?

I'm not sure I can recommend it, because it's quite old, but I use flow-tools and just query on the command line for top X destinations - inevitably, even if the old Cisco is tanking from the load, it's able to spit out enough info to give me an idea of what's being targetted.

I'm probably going to move to nfsen/nfdump, as that seems to be the modern solution:

http://nfsen.sourceforge.net/

> 
> Jim
> 		 	   		  
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list