DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th December 2009
Sam Sam is offline
Port Guard
 
Join Date: Nov 2009
Posts: 19
Default attacks DDoS

Hello,

How to block attacks DDoS (multiple connections in a minimum time)

What advice can you give me for the fight against DDOS attacks, is there software that can block these attacks.is there a rule in very specific lutilitaire Packet Filter against DDOS attacks
Reply With Quote
  #2   (View Single Post)  
Old 17th December 2009
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

I guess you would need to be more specific on which service
i.e. ssh , http , etc..

So for an example for ssh
I block the script kiddies banging away on port 22 (ssh)
Code:
#Tables
table <scanners> persist

# stop the script kiddies
  pass in quick on $ext_if proto tcp from !<scanners> to $ext_if port ssh flags S/SA \
  synproxy state (max-src-conn-rate 2/60, overload <scanners> flush)

block in quick on $ext_if from <scanners> to any
This part of my rules captures the IP of the script kiddie if they try more than
2 times in 60 seconds.. (a bit restrictive yes.. and you can change the interval)
then dumps the offending IP to the table "scanners"

Any subsequent connection from the offiending IP is then dropped..
The table is flushed upon reboot.
I "used" to have a script that would also dump the offending IP's to a permanent
table but that proved unnecessary to keep them.

I am assuming that there is also a solution for http.. but I have never found the need to
implement one..

One of the other "more learned" mods like J65nko or a frequent pf master like s2Scott might provide you a much more
technical response... :-)

hth
rk
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
  #3   (View Single Post)  
Old 17th December 2009
Sam Sam is offline
Port Guard
 
Join Date: Nov 2009
Posts: 19
Default

Hello

When I was on Linux I had the misfortune to be confronted with the DDOS attack, I change OS I am running OpenBSD I would not see the same problem. I mean the http service

So to counter this, the time when I was still on Linux I'm leaning on a mod for Apache interesting: mod_evasive.

How to fight effectively against DDOS attacks?.
Reply With Quote
  #4   (View Single Post)  
Old 17th December 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Using PF and the different options to limit the number of connections/second that are allowed from any single IP, or subnet.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 17th December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you are running a web server, and you wish to -limit- inbound connections, use the Stateful Tracking Options, such as those in the example provided by roundkat.

http://www.openbsd.org/faq/pf/filter.html#stateopts

The link is for the PF User's Guide in English. It is also available in German, French, Italian, Polish, Russion, and Portuguese.
Reply With Quote
  #6   (View Single Post)  
Old 17th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If it is a real DDos attacks and your network connection is flooded with these attempts, not accepting the connections will not help you at all. You will have to ask your ISP to deal with it upstream.

If my street is blocked with hundreds of people who want to visit me, then DHL will not be able to deliver the present I ordered for my wife. It doesn't matter whether I let that crowd in in or leave them standing outside
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 18th December 2009
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

Quote:
Originally Posted by Sam View Post
Hello
When I was on Linux I had the misfortune to be confronted with the DDOS attack, I change OS I am running OpenBSD I would not see the same problem. I mean the http service
So to counter this, the time when I was still on Linux I'm leaning on a mod for Apache interesting: mod_evasive.

How to fight effectively against DDOS attacks?.
As J5nko put it.. you can't stop the traffic but in your case your
webserver was over loaded and probably crashed the Linux box..

Jggimi pointed you in the right direction..
There is a good example on that page..

rk
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
Reply

Tags
ddos

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
Torvalds attacks IT industry 'security circus' roddierod Off-Topic 17 6th September 2008 02:03 PM
"Man-in-the-Middle" (MitM) DNS Attacks hunteronline Off-Topic 0 26th August 2008 03:15 PM
supress UDP ddos attack chris FreeBSD Security 4 9th July 2008 02:46 PM


All times are GMT. The time now is 09:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick