Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th July 2008
chris chris is offline
Port Guard
Join Date: May 2008
Location: United Kingdom
Posts: 35
Default supress UDP ddos attack

Hi guys,
One of the IPs on my system is being subjected to occasional UDP floods (i can tell it's UDP by checking out the bandwidthd output for that IP). Whilst the rest of the network remains completely stable due to decent firewalls in use at the data-centre i can't help thinking that there's more i can be doing to limit the effect of these attacks via my software firewall (pf). I tried experimenting with the following rule;

pass inet proto udp from any to x.x.x.x \
        keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, \
         overload <bruteforce> flush global)
I *think* it helped a little but not as much as i'd like. First of all is there really any point in implementing this sort of protection and if so how can i make best use of pf to stop these attacks crippling the IP in question?

Reply With Quote
  #2   (View Single Post)  
Old 6th July 2008
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,136

If thousand people are standing in front of your house and yell that they want money from you, you can refuse to open the front door and not let them in. But the newspaper boy and the mail man will still have trouble to reach your house to deliver the paper and your mail

The best way is to report this IP to the netblock owner or ask your upstream ISP do that. The whois command line program will tell you who is the netblock owner.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 6th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223

I find the abuse staff at most IP's are quite slow... and when they do respond they really can't do much more then blocking the certain individual..

Typically though, they won't do anything the first initial attempt... the Internet is an active place, tolerate it.. and make sure your network is adequately secure.
Reply With Quote
  #4   (View Single Post)  
Old 7th July 2008
anomie's Avatar
anomie anomie is offline
Join Date: Apr 2008
Location: Texas
Posts: 445

From blackhole(4):
In the UDP instance, enabling blackhole behaviour turns off the sending
of an ICMP port unreachable message in response to a UDP datagram which
arrives on a port where there is no socket listening. It must be noted
that this behaviour will prevent remote systems from running
traceroute(8) to a system.

The blackhole behaviour is useful to slow down anyone who is port scan-
ning a system, attempting to detect vulnerable services on a system. It
could potentially also slow down someone who is attempting a denial of
service attack.
Might be worth exploring in your case.
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 9th July 2008
KernelPanic KernelPanic is offline
Port Guard
Join Date: May 2008
Posts: 19

Here is my $0.02:

If one of your server is getting UDP flooded 'occasionally' you might want to check and make sure that the server has not been compromised.

"Script kiddies" throughout the world are scanning for vulnerable ssh accounts, PHP exploits, and lame duck IIS installs. If you're lucky the 'kiddies' just set up an IRC client/bouncer on your server and use it to swap 'warez' and taunt other "script kiddies". Eventually someone gets annoyed and they launch a DoS attack against your server.

Last edited by KernelPanic; 9th July 2008 at 02:50 PM. Reason: Typos
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT. The time now is 12:57 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick