PF Protection against port scan

[Mandrilux]

Hi ,
I use FreeBSD 10, and I want to protect to my server who is online in internet the last week, my server was victim of attack "DDOS"

I want to use pf(4) to protect my server. In the first question, how do I block the scan port? And how do I block too many connection in 1 second ?

I'm not an expert in freebsd FreeBSD.

Thanks

 

[abishai]

You can't protect the server from DDOS with firewall on your side.

 

[gkontos]

You can use PF's rate limit options to manage the concurrent states. A good example: --> http://www.openbsd.org/faq/pf/filter.html#stateopts --<

Of course, those settings need to be tweaked according to the application that you are trying to protect. Sometimes, the use of log monitor scripts in combination with dynamic tables can reduce the impact of an attack.

 

[SirDice]

You can use PF's rate limit options to manage the concurrent states. A good example: --> http://www.openbsd.org/faq/pf/filter.html#stateopts --<

Of course, those settings need to be tweaked according to the application that you are trying to protect. Sometimes, the use of log monitor scripts in combination with dynamic tables can reduce the impact of an attack.

They're not going to protect you from a DDoS. If your server is connected to the internet with, for example, a 10 Gbit/s and somebody sends a 15Gbit/s DDoS to your site your local firewall isn't going to prevent your uplink being saturated.

Imagine a funnel, if you pour water in it it will flow through a small hole at the bottom. But if you pour too much water in the funnel itself will overflow as the water can't drain fast enough through the bottom. It's the same with (D)DoS attacks. You get so much traffic the funnel (i.e. your internet connection) can't drain fast enough and it will start overflowing.

 

[gkontos]

Correct, for this type of attack you need to involve your upstream provider. I was referring to different type of attacks, targeted at specific web applications, where you get a few thousand connections per sec from specific IPs.

 

[Mandrilux]

This attack aim the web server which is in port 80. Apache24 is saturated.

This attack is small.

 

[gkontos]

I assume that those are multiple connections originating from a specific range of IP addresses? Because 10Mbit is not that much unless we are talking about thousands of concurrent connections. Have you done any log analyses when this occurs?

The following are graphs from a rather busy web server:

 

[Mandrilux]

I assume that those are multiple connections originating from a specific range of IP addresses?

Yes !

It's low but how do I block this attack with PF?

 

[gkontos]

Like I said before, you can use PF's rate limit options to manage the concurrent states. A good example: --> http://www.openbsd.org/faq/pf/filter.html#stateopts

If you are not that familiar with firewalls and rate limit then you can ask for professional help, ask your upstream provider if they offer anti DOS services or use a CDN which includes web application firewall.