[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dDoS attacks



Michiel van Baak (michiel@vanbaak.info) wrote:
> I've been spending 3 days searching on google and reading docs/howto's
> about pf. But I didn't find any information about how to  protect  you
> server/network against dos and ddos attacks. Anyone who can  enlighten
> me ?
>
> I'm pretty new to OpenBSD. Started using it when 2.9 came out and just
> preordered 3.2. I'm running a server/firewall on 3.0 for a while now.
Not so much as a direct reply but more as to share what happened when  I
was ddossed a few month ago.
The thing that brought my pc to it's knees was pflog trying  to  log  it
all. Once I found that out I disabled logging and Then I  hardly  had  a
connection because my upload caused by  the  replies  of  my  return-rst
firewall stuffed the upload. After that I disabled return-rst  I  got  a
continous stream of 50kb/s and I barely noticed I was ddossed.
So my suggestion would be to put in triggers in pf that would go  of  at
certain levels that would indicate  a  ddos,  after  which  logging  and
return-rst is disabled. Perhaps pflog could  go  in  another  mode  that
gathers much less detailed info.
Of course I don't know  if  this  is  a  good  idea.  This  is  just  my
impression.
Another side effect of the return-rst was that I got a warning  from  my
isp for scanning certain hosts. Of course the ips of the attackers  were
spoofed and I got the blame for the return  packets  identified  by  the
other person as a scan.
//Han
-- 
Linux, the choice     .~.         I never said all Democrats were
of a GNU generation  / V \       saloonkeepers; what I said was all
Kernel 2.4.19       /( . )\        saloonkeepers were Democrats.
on a i686             ^-^