Hi,
Recently we started getting hit with DDoS attacks. The latest one targeted our authorative DNS servers and caused major problems.
All our servers have pf configured to allow all traffic out, with keep state, but block everything in, except ports we configure for running services.
During the latest attack, the first weak point to fail was that pf state tables on the DNS servers got filled and the servers stopped accepting new connections. We scrambled to add more memory and raise the state limit and eventually we were able to ride it out.
Example pf.conf snippet:
We also have rules to allow ICMP etc. but I kept it short.
I've tested the following to disable state tracking for DNS servers:
Would this cause any side-effects? I assume it would cause some kind of performance hit, since each incoming packet would have to be matched to rules, instead of just a lookup in the state tables. Probably a non-issue for DNS over UDP, which is usually just one packet in, one packet out, but TCP and other services using TCP I assume could be affected in some way.
Recently we started getting hit with DDoS attacks. The latest one targeted our authorative DNS servers and caused major problems.
All our servers have pf configured to allow all traffic out, with keep state, but block everything in, except ports we configure for running services.
During the latest attack, the first weak point to fail was that pf state tables on the DNS servers got filled and the servers stopped accepting new connections. We scrambled to add more memory and raise the state limit and eventually we were able to ride it out.
Example pf.conf snippet:
Code:
set limit states 2000000
scrub in all
# Trust localhost
set skip on lo0
block in log all
# Allow Zabbix monitoring server
pass in proto tcp from any to port 53 keep state
pass in proto udp from any to port 53 keep state
pass out all keep stateWe also have rules to allow ICMP etc. but I kept it short.
I've tested the following to disable state tracking for DNS servers:
Code:
set limit states 2000000
scrub in all
# Trust localhost
set skip on lo0
block in log all
# Allow Zabbix monitoring server
pass in proto tcp from any to port 53 no state
pass in proto udp from any to port 53 no state
pass out quick proto udp from port 53 to any no state
pass out quick proto udp from port 53 to any no state
pass out all keep stateWould this cause any side-effects? I assume it would cause some kind of performance hit, since each incoming packet would have to be matched to rules, instead of just a lookup in the state tables. Probably a non-issue for DNS over UDP, which is usually just one packet in, one packet out, but TCP and other services using TCP I assume could be affected in some way.