DDoS attacks

A

Armando

I would like to know how can I improve the performance of my server to no longer suffer DDoS or DoS attacks.

What do you recommend? :)
 
You cannot stop a DDoS with just pf per se. Even if pf is blocking a Denial the traffic is still having to hit your machine to get denied. Therefore your incoming link will still be saturated, is this for home or at work?
 
PF is pretty good. But as said, you can only do so much with a firewall. It's not going to help you if your attacker saturates your internet connection. Perhaps your ISP or hoster can help out with that.
 
Any of the three firewalls will block incoming packets. That's their whole purpose of existence.

However, none of them are going to protect you against an attacker that's able to saturate your internet connection.
 
Wait I understand my problem maybe the PF is not installed properly, I notice that the kernel in folder: /usr/src/ no file.
 
Interesting. When I had the problem it I just scripted a small scraper and called it from cron. Though the attack was coming from every country on the planet it never actually saturated my NIC. After a couple of days I was blocking pretty close to 12,000 IP addresses. I didn't realize how big some of these zombied botnets were.

So the proper way would to have a dedicated pf/gateway I assume. Is there a quicker way to populate the table without parsing the log?
 
UNIXgod said:
Is there a quicker way to populate the table without parsing the log?
Click to expand...
You can throttle connections with PF. If I remember correctly the man page has some nice examples. But besides that there isn't much you can do since you don't know in advance where the attacks will come from. All you can do is react after the fact.
 
UNIXgod said:
So the proper way would to have a dedicated pf/gateway I assume.
Click to expand...

pfSense is very nice if you've got an old machine sitting around collecting dust. It runs great on my Dell with a 2.66GHz P4 and 1.25GB RAM.

And while the pf firewall will block incoming packets anyway there is a pfBlocker app that comes with it you can set to block incoming and outgoing traffic to countries all over the world.
 
You need to work with your ISP so they can blackhole the traffic. Otherwise, as it was mentioned before, your link will get saturated anyway.
 
Couldn't attackers be blocked with PF like this...

Code: 
table <webddos> persist
block log quick inet from <webddos>
pass in on $ext_if inet proto tcp from any to $webserver port { 80 443 } synproxy state \
        ( max-src-conn-rate 100/60, overload <webddos> flush global )

...meaning block completely (not just ports 80 and 443) every IP address which places more than 100 requests in 60 seconds period? Of course you could tweak number of requests and period according to your situation, or do additional source tracking (explained in pf.conf(5)).

Line in cron resets ban once per week (sometimes good host dinamically gets IP address which previously belonged to DoS-er):
Code: 
@weekly /sbin/pfctl -t webddos -T expire 60
 
That won't stop the remote hosts from trying to send the DDoS traffic to your IP address, it will still hit the next router upstream and bring it down to its knees.
 
@pacija
Yeah, you could, but the point is that packets already enter your link, which means that DDoS is doing it's thing - denying other legitimate packets to enter your link.

The only way to truly alleviate DDoS is to have huge resources in bandwidth and servers which could "eat up" the attack, while working with your ISP to block traffic upstream before it enters your links.
 
You must log in or register to reply here.
Back
Top