pf - denial of service advice..

[drbabbers]

All,

I am a bit of a newbie with pf on FreeBSD and I need some advice on some firewall rules/configuration changes to prevent/stop dos attacks. I have setup a fairly basic system allowing ftp, www and ssh packets inbound.

If I check my firewall state I am getting hammered with connections on port 21 from various random hosts, too many to actually add into a manual block table.. The ones I do add in my block table do actually stop, but I am getting way too many IP's listed to manually add.

Are there any helpful entries I can add into my pf.conf file to prevent such attacks?

Thanks in advance.
D

 

[danger@]

try to have a look at http://www.openbsd.org/faq/pf/filter.html#stateopts if that would help you (also do not overlook the ``overload'' keyword)

 

[SirDice]

I am a bit of a newbie with pf on FreeBSD and I need some advice on some firewall rules/configuration changes to prevent/stop dos attacks.

Yeah, stop wasting your time

I have setup a fairly basic system allowing ftp, www and ssh packets inbound.

Good. There isn't much else you can do really. Sure you can limit/throttle the number of connections somewhat but if an attacker manages to send 100Mbps to your 10Mbps connection you will get hosed nonetheless.

If I check my firewall state I am getting hammered with connections on port 21 from various random hosts, too many to actually add into a manual block table.. The ones I do add in my block table do actually stop, but I am getting way too many IP's listed to manually add.

Most likely this isn't a DoS but an ftp bruteforce attack. They scan for FTP hosts and try to login using common username/password combinations. There are several tools available that'll block an IP address after an X number of failed login attempts. I use security/sshguard-pf on my server to protect my sshd. It can also be used to protect against ftp bruteforce attacks.

Are there any helpful entries I can add into my pf.conf file to prevent such attacks?

Start by realizing that you can never prevent attacks like this. That's because you have no control over the millions of zombie machines that scan your IP address. Best you can do is mitigate the risks.