Re: dDoS attacks
Han Boetes wrote: Not so much as a direct reply but more as to share what happened when I was ddossed a few month ago. The thing that brought my pc to it's knees was pflog trying to log it all. Once I found that out I disabled logging and Then I hardly had a connection because my upload caused by the replies of my return-rst firewall stuffed the upload. After that I disabled return-rst I got a continous stream of 50kb/s and I barely noticed I was ddossed. So my suggestion would be to put in triggers in pf that would go of at certain levels that would indicate a ddos, after which logging and return-rst is disabled. Perhaps pflog could go in another mode that gathers much less detailed info. one could accomplish such a thing without any changes to pf - just a small daemon (perhaps a script) which monitors some statistic (eg.g. denied packets) and switches rulesets if it is exceeded. -d
Re: dDoS attacks
On Tue, 5 Nov 2002 17:28:18 -0500 jolan [EMAIL PROTECTED] wrote: On Tue, Nov 05, 2002 at 02:49:42PM +0100, Michiel van Baak wrote: Anyone who can enlighten me ? ddos attacks need to be blocked at the router and even then it doesn't mean you're going to come away from one unscathed. - jolan I know they have to block it in the router. But that's not the case with my network and now I want to block them in the router here. It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh Is there a way to do it with pf? Michiel
RE: dDoS attacks
Hi List, The host that is being attacked, there isn't much you can do about a dDos. I wonder on the other side what can be done (by pf) to prevent the host being used as a zombie spawning (spoofed) packets like mad. Anybody a clue? Sacha
Re: dDoS attacks
On Wed, Nov 06, 2002 at 12:44:38PM +0100, Sacha Ligthert wrote: I wonder on the other side what can be done (by pf) to prevent the host being used as a zombie spawning (spoofed) packets like mad. Anybody a clue? you can stop spoofed packets from going out by only passing things out which have the ip address of the external interface as the source addr. of course you need root to spoof packets, so chances are whoever is doing the spoofing can also modify your pf rules. - jolan
Re: dDoS attacks
On Wed, 2002-11-06 at 07:13, Daniel Hartmeier wrote: There's a link to a patch for pf that allows further session limiting on honeynet.org. Thanks for the tip. Any plans to include this patch in future releases? -J.
Re: dDoS attacks
Thnx all. The trick with the max states and timeouts works fine. Michiel
RE: dDoS attacks
On Wed, 2002-11-06 at 07:13, Daniel Hartmeier wrote: There's a link to a patch for pf that allows further session limiting on honeynet.org. Thanks for the tip. Any plans to include this patch in future releases? -J. To answer Jason Dixon's question: -Original Message- From: Daniel Hartmeier [mailto:daniel;benzedrine.cx] Sent: woensdag 6 november 2002 13:22 To: Sacha Ligthert Subject: Re: dDoS attacks On Wed, Nov 06, 2002 at 01:19:53PM +0100, Sacha Ligthert wrote: Will this patch be added to the main pf devel repository one day? Have you read it and understand what it does? The tarball linked to contains a userland tool that does most of the work, but at a very high price. I guess we could make a port out of that. Daniel Sacha
Re: dDoS attacks
On Wed, Nov 06, 2002 at 08:11:04AM -0500, Jason Dixon wrote: Ok, I'll refine my question (after reviewing the tarball). Any chance that the related functionality provided by netfilter (--limit) will be built into PF in future releases. Obviously, this type of feature still has its limitations when your T1/E1/T3/E3 is being saturated by a thousand different source addressed garbage streams, but it would be nice nonetheless. If I understand it correctly, netfilter's --limit is used to limit the number of concurrent connections per source (or destination) address. This feature has been suggested and discussed before (on misc, I think), and we weren't sure whether it belongs into the kernel itself. Keeping per-source/-destination statistics can be memory and cpu expensive, and there would be no real downside to doing it in a generic userland proxy. Except, maybe, for the fact that you lose the real source addresses for logging, which could be solved with embryonic states, but I didn't mention that now ;) A generic userland proxy could do all sorts of nice things, like throttle connections and throughput, based on source/destination addresses and blocks of addresses, etc. Daniel
Re: dDoS attacks
Michiel van Baak ([EMAIL PROTECTED]) wrote: I've been spending 3 days searching on google and reading docs/howto's about pf. But I didn't find any information about how to protect you server/network against dos and ddos attacks. Anyone who can enlighten me ? I'm pretty new to OpenBSD. Started using it when 2.9 came out and just preordered 3.2. I'm running a server/firewall on 3.0 for a while now. Not so much as a direct reply but more as to share what happened when I was ddossed a few month ago. The thing that brought my pc to it's knees was pflog trying to log it all. Once I found that out I disabled logging and Then I hardly had a connection because my upload caused by the replies of my return-rst firewall stuffed the upload. After that I disabled return-rst I got a continous stream of 50kb/s and I barely noticed I was ddossed. So my suggestion would be to put in triggers in pf that would go of at certain levels that would indicate a ddos, after which logging and return-rst is disabled. Perhaps pflog could go in another mode that gathers much less detailed info. Of course I don't know if this is a good idea. This is just my impression. Another side effect of the return-rst was that I got a warning from my isp for scanning certain hosts. Of course the ips of the attackers were spoofed and I got the blame for the return packets identified by the other person as a scan. //Han -- Linux, the choice .~. I never said all Democrats were of a GNU generation / V \ saloonkeepers; what I said was all Kernel 2.4.19 /( . )\saloonkeepers were Democrats. on a i686 ^-^
Re: dDoS attacks
On Wed, 2002-11-06 at 08:57, Han Boetes wrote: firewall stuffed the upload. After that I disabled return-rst I got a continous stream of 50kb/s and I barely noticed I was ddossed. So my suggestion would be to put in triggers in pf that would go of at certain levels that would indicate a ddos, after which logging and return-rst is disabled. Perhaps pflog could go in another mode that gathers much less detailed info. Of course I don't know if this is a good idea. This is just my impression. Another side effect of the return-rst was that I got a warning from my isp for scanning certain hosts. Of course the ips of the attackers were spoofed and I got the blame for the return packets identified by the other person as a scan. Ironic, isn't it? You try to run a good neighbor firewall and get accused of portscanning. Not to mention committing interconnectivity suicide on your upstream. :( Yeah, that would be nice, but could likely be implemented with some sort of ioctl/pfctl(?) userland utility that checks for max connections, then adds temporary rules to disable logging and return-rst for that source. Heck, this *could* be done with a perl script and cron, although it wouldn't be real-time. I wonder, realistically, how much cpu would be wasted running this every minute from cron? :) -J.
Re: dDoS attacks
On Wed, Nov 06, 2002 at 12:38:33PM +0100, Daniel Hartmeier wrote: Well, a real distributed DoS attack involves many hosts fully establishing connections to a service you provide to the public, which either saturates your uplink or the resources on your server so that legitimate connections cannot be handled anymore, thus denying service to your legitimate peers. real life example: we were target to a DDoS about a year ago - sucked a total incoming bandwidth of over 1 TByte/s - of course that's far beyond our uplink capacities. I could have filtered as much as I want - pointless. We were able to stop the attack at the border routers of our uplinks, but that's a different story. As unfortunate as it is: there is nothing, really nothing, you can do about a well done DDoS attack. If it is not well done you have a chance if your uplinks are cooperating.
Re: dDoS attacks
On Thu, Nov 07, 2002 at 12:38:56AM +0100, Henning Brauer wrote: real life example: we were target to a DDoS about a year ago - sucked a total incoming bandwidth of over 1 TByte/s - of course that's far beyond our gack, I need sleep. It was over 1 GBit/s of course. a TBytes/s would be a bit much ;-)