DoS and DDoS attacks

Remington · Jun 11, 2015

juiced said:
Remington
Sorry if I derailed your thread m8. Hopefully at least some of this is helpful.

No problem at all. This is an interesting discussion as I would like to find solution to this as well optimize the configurations.

Supermule · Jun 12, 2015

No worries.

This is whats in my loader.conf

Code:

autoboot_delay="3"
vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
if_igb_load="YES"
kern.hz=1000
boot_serial="YES"
comconsole_speed="115200"
hw.usb.no_pf="1"
aio_load="YES"
cc_htcp_load="YES"
net.inet.tcp.hostcache.cachelimit="0"
hw.igb.txd="2048"
hw.igb.rxd="2048"
hw.igb.rx_process_limit="-1"
hw.igb.enable_aim="1"
hw.igb.num_queues="0"
hw.igb.enable_msix="1"
kern.ipc.nmbclusters="492680"
net.inet.tcp.syncache.hashsize="1024"
net.inet.tcp.tcbhashsize="65536"
net.isr.bindthreads="0"
net.isr.dispatch="direct"
net.isr.maxthreads="1"

It made very little impact on performance and resiliency. We have tried almost anything thats in https://calomel.org/freebsd_network_tuning.html

When the firewall gets NAT enabled and the packets needs to traverse pf then it bugs down.

Below tuning tips have been tried to no avail. It doesnt seem capable of sorting legit traffic from the DDoS one.

Set the actual timeouts lower -Some services can handle very low timeouts, some can't ->experiment with it.
-Set the adaptive timeout start point much lower.
-Limit simultaneous connections per client
-Limit states created per host
-Limit the number of "new" connections allowed per second - be cautious with this one.

juiced · Jun 12, 2015

Supermule said:
Below tuning tips have been tried to no avail. It doesnt seem capable of sorting legit traffic from the DDoS one.

It doesn't need to sort legit from non.

If your system can't handle the number of states its dealing with "and it can't if setting it stateless solves it" then reduce the timeouts etc.

Remington · Jun 12, 2015

What about 1:1 NAT without redirecting to different port or IP address?

Supermule · Jun 12, 2015

THAT we havent tested

Remington said:
What about 1:1 NAT without redirecting to different port or IP address?

Supermule · Jun 12, 2015

Run aggressive settings on states/timeouts and adaptive timeouts.

It handles better if they are set to none and the max limit on 2MM.

juiced said:
It doesn't need to sort legit from non.

If your system can't handle the number of states its dealing with "and it can't if setting it stateless solves it" then reduce the timeouts etc.

juiced · Jun 12, 2015

Since you're completely missing the point I give up.

FWIW:
We smashed the hell out of FreeBSD locally bare metal -> bare metal on decent nic's. Once setup correctly It performed quite well and pretty much as expected.

-TGIF

Supermule · Jun 13, 2015