DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd June 2010
sci3ntist sci3ntist is offline
New User
 
Join Date: Jun 2010
Posts: 4
Default DDOS and pf

Hi,

I'm facing a DDOS on one of my servers that hosts few websites, If I implement synproxy on PF, could this solve the problem and decrease DDOS?
Like I want to put OpenBSD or FreeBSD with two network interfaces and do nating from the OpenBSD or FreeBSD to the server hosts my websites.


Regards,
Reply With Quote
  #2   (View Single Post)  
Old 3rd June 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

You can use pf's overload feature, see the pf.conf(5) and the PF user's guide for documentation & examples.

Quote:
Like I want to put OpenBSD or FreeBSD with two network interfaces and do nating from the OpenBSD or FreeBSD to the server hosts my websites.
So you want to add a router in front of your webserver? Why not just run pf on your webserver?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 3rd June 2010
sci3ntist sci3ntist is offline
New User
 
Join Date: Jun 2010
Posts: 4
Default

Because I have already a configured server hosts my website, would OpenBSD and FreeBSD solve the problem of DDOS. Please I want your recommendation if you ever experienced the problem before.
Reply With Quote
  #4   (View Single Post)  
Old 3rd June 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Right, your webserver is not a FreeBSD/OpenBSD system? Which OS are you using? You may want to use that system's firewall.

Adding a new FreeBSD or OpenBSD router would also be possible, and the effects would be the same except that you would draw more power

As mentioned above, pf ("The OpenBSD Packet Filter", also available on FreeBSD) has several options (overload, max-src-nodes, max-src-conn, max-src-conn-rate) which can be used to limit the maximum amount connections one host can make.
The documentation mentioned before has more specific documentation as well as some examples.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 3rd June 2010
sci3ntist sci3ntist is offline
New User
 
Join Date: Jun 2010
Posts: 4
Default

Its Linux CentOS, I want to get my websites up and running, so If pf could offer this I'd use it.
Reply With Quote
  #6   (View Single Post)  
Old 3rd June 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

For this task, I would recommend OpenBSD. It is secure, very stable, fairly easy, and uses a KISS "it just works" approach.
FreeBSD will also work fine.
Personal preferences and opinions on this subject may vary though, coming from Linux I'm sure you're familiar with the "My foo is better than your bar" type of discussions

The OpenBSD FAQ is an extremely valuable resource for people new to the system: http://openbsd.org/faq/index.html

As is the PF user's gude: http://openbsd.org/faq/pf/index.html
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #7   (View Single Post)  
Old 3rd June 2010
rpindy rpindy is offline
Fdisk Soldier
 
Join Date: May 2010
Posts: 59
Default

Quote:
Originally Posted by sci3ntist View Post
Its Linux CentOS, I want to get my websites up and running, so If pf could offer this I'd use it.
If you have WHM, the ConfigServer firewall is good. It blocks bad IPs from brute force, port scans and the like, but I'm not sure about DDoS. I would give that a try if you aren't using it now.
Reply With Quote
  #8   (View Single Post)  
Old 3rd June 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Even if you block the packets, they still arrive on your interface and block your internet pipe.

Talk to your webhosting company, give them the offending IP addresses and/or logs. They can do something against it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 3rd June 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Exactly as said by J65nko, blocking packets simply means the kernel will ignore them and not process them further.. but they are still on the wire, and can potentially impact performance.

You must contact your hosting provider or ISP, on a case-by-case basis.. it's no easy job.
Reply With Quote
Old 6th June 2010
sci3ntist sci3ntist is offline
New User
 
Join Date: Jun 2010
Posts: 4
Default

Yes, I understand this, but the hosting company couldn't do anything.
They said that they didn't have enough experience in that field.
Reply With Quote
Old 31st December 2010
drummondislebsd drummondislebsd is offline
New User
 
Join Date: Nov 2010
Posts: 3
Default What to do?

Quote:
Originally Posted by J65nko View Post
Even if you block the packets, they still arrive on your interface and block your internet pipe.

Talk to your webhosting company, give them the offending IP addresses and/or logs. They can do something against it.
You mention the hosting company can do something about it...

Are you referring to the establishment of a pf/bridge with max/src/conn further "up the line" that prevents the offenders/packets from ever reaching the server's domains?

Logically, this only moves the "clog" in the pipe up the line, unless I'm missing something. If the offender is persistent, block/drop of their packets is great, but it could be a constant event... like a wikileaks 20G DDOS event, right?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Last year chinese ddos attacks - anyone damaged by them? eurovive Off-Topic 0 4th March 2010 02:22 AM
attacks DDoS Sam OpenBSD Security 6 18th December 2009 12:07 AM
supress UDP ddos attack chris FreeBSD Security 4 9th July 2008 02:46 PM


All times are GMT. The time now is 10:45 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick