[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dDoS attacks

On Wed, Nov 06, 2002 at 12:02:42PM +0100, Michiel van Baak wrote:
> I know they have to block it in the router.
> But that's not the case with my network and now I want to block them in the router here.
> It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh
> Is there a way to do it with pf?
Well, a real distributed DoS attack involves many hosts fully
establishing connections to a service you provide to the public, which
either saturates your uplink or the resources on your server so that
legitimate connections cannot be handled anymore, thus denying service
to your legitimate peers. If you can distinguish connections from
attackers from legitimate connections, of course you can block them with
pf. You can also not send tcp rst and icmp errors on blocked ports to
conserve bandwidth. But if the attack is sophisticated, coming from
numerous unspoofed sources and just exhausts your uplink, there's
nothing you can do with a firewall alone, since the damage is already
done when it sees the packets.
If the problem is not the uplink but a service being exhausted, you can
throttle connections by proxying them, which also deals with incomplete
(spoofed) tcp handshakes (similar to syn cookies, etc.), or use keep
state options like 'max' and aggressive timeouts.