Hi, I have a router running BGP and OSPF (bird) on FreeBSD. Are there any best practises one can take in order to protect the network from DDoS attacks. I know this isn't easy. But I would like to secure my network as much as possible. Even if I'am not able to prevent or block a ddos I would like to get some info (snmp trap parhaps) regarding the attack. Then I can contact my ISP or install an ACL on my router. Any help would be great. All best, jim
Luckily, FreeBSD is fairly simple to harden against smaller DDoS attacks. Since I am unsure of your connection I cannot recommend specifics. However, it is best to configure polling, tweak sysctl (buffers/sockets/etc), install pf or ipfw and do some straight forward deny/allow + source spoof settings. Above all, don't go overboard with firewall configuration. People often try to do far too much tracking/packet rate limiting, etc. It just burns up free resources. Deny all ICMP (drop I mean) and UDP except where specifically required. And just do general hardening... Get yourself a static IP or VPN. Deny all console/ssh access except to that IP. Same here, a simple host deny will satisfy this need. The less you do with the firewall (routing/blocking/inspecting) the better. Drop drop drop ;) In the end, proper tuning with a good Intel NIC and you can saturate a 1Gbps connection with legit traffic and block most high PPS floods as long as they don't saturate the link. I have ran similar configurations in 10Gbps scenarios and there are certainly limitations even in 1Gbps cases... Though, you can't plan for everything - the best you can do is be prepared for the majority of general UDP/ICMP/TCP SYN or service specific attacks like SSH/FTP, etc. I'm actually at dinner so I apologize for the lack of further detail. I'm not even certain this makes sense but hopefully it helps. I have my configs which I can send by tomorrow if needed. (For examples) Best of luck! -Kevin On Feb 9, 2013, at 5:31 PM, "James Howlett" <jim.howlett at outlook.com> wrote:> Hi, > > I have a router running BGP and OSPF (bird) on FreeBSD. > Are there any best practises one can take in order to protect the network from DDoS attacks. > I know this isn't easy. But I would like to secure my network as much as possible. > Even if I'am not able to prevent or block a ddos I would like to get some info (snmp trap parhaps) regarding the attack. > Then I can contact my ISP or install an ACL on my router. > > Any help would be great. > > All best, > jim > > _______________________________________________ > freebsd-isp at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
On 2013-02-10 03:57, khatfield at socllc.net wrote:> Deny all ICMP (drop I mean) and UDP except where specifically required.Please do not drop all ICMP unless you understand what you are doing. By doing that you are creating a path MTU discovery blackhole. See for example the following sites for more information: http://www.phildev.net/mss/ https://supportforums.cisco.com/docs/DOC-5839 http://www.cymru.com/Documents/icmp-messages.html http://packetlife.net/blog/2008/oct/09/disabling-unreachables-breaks-pmtud/ -- Janne Snabb / EPIPE Communications snabb at epipe.com - http://epipe.com/
On Sun, 10 Feb 2013 06:48:08 -0600, Janne Snabb <snabb at epipe.com> wrote:> Please do not drop all ICMP unless you understand what you are doing. By > doing that you are creating a path MTU discovery blackhole.I was coming here to say the exact thing Dropping ICMP is not a security method. Please stop doing this!
khatfield at s... Writes:> > The less you do with the firewall (routing/blocking/inspecting) the > better. > > Drop drop drop ;)I think this is really bad advice. A firewall should return destination-unreachable/reset packets for administratively prohibited traffic types. Drops, null routes, etc. should only be used in case of emergency like ongoing DoS attacks or for special cases like stealth firewalls. -- I FIGHT FOR THE USERS
Please read the rest of the thread before criticizing. On Feb 13, 2013, at 9:58 AM, "Matthew X. Economou" <xenophon at irtnog.org> wrote:> khatfield at s... Writes: >> >> The less you do with the firewall (routing/blocking/inspecting) the >> better. >> >> Drop drop drop ;) > > I think this is really bad advice. A firewall should return > destination-unreachable/reset packets for administratively prohibited > traffic types. Drops, null routes, etc. should only be used in case of > emergency like ongoing DoS attacks or for special cases like stealth > firewalls. > > -- > I FIGHT FOR THE USERS > > _______________________________________________ > freebsd-isp at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"