Josh Brooks wrote:
> If I have a large network with high profile hosts (50+ shell servers, 50
> or more different ircds running) am I wasting my time trying to hack and
> tweak a FreeBSD host-based firewall running ipfw ?
>
> I am getting hammered by a different (D)DoS attack every single day - it's
> always something new. I am thinking of buying a netscreen, but on the
> other hand I really like FreeBSD, I really like a host-based firewall, and
> I hate to admit defeat.
You cannot protect yourself against DDOS.
In the limit, the attacker will fill up your communications
pipes, so no matter what you do, in terms of load-shedding,
you will still end up with the attack being effective.
You've posted previously that you want to do some things,
like characterizing packet options (e.g. MSS), and dropping
certain packets with or without these options.
This is merely a load-shedding strategy, and it is, in fact,
one which will not be successful, if you make your choices
in this regard public, since you will provide information to
your attacker as to why his attack, previously effective, is
not ineffective. Th bad news is that, even if you do not
make this information public, an attacker can infer your rules
and "tighten up" the attack, to make it look more like legitimate
traffic, to avoid your rules changes (e.g. adding the MSS option
to SYN packets used in attacks, etc.). In the worst case, the
attacker will merely flood your pipes, if you are effective in
stopping attack packets at your border firewall.
The only really effective mechanisms for defending against DDOS
attacks are:
1) Have a bigger pipe than the aggregate of all your
attackers "robots" -- this has the negative effect
of your attacker, whi;le being unable to take you
off the air, they can still cost you money (e.g. the
"war dialer attack on 1-800 numbers of SPAM'mers and
televangelists, who get charged for call completion).
2) DPOS - Distributed Provision Of Service. A DDOS attack
can only work against a small number of targets. As the
number of targets approaches the number of "robots", the
DDOS attack becomes ineffective.
3) Identify the attackers, and have them arrested. There
are all sorts of laws which are being violated by a DDOS
attack, but police agencies aren't very sophisticated,
mostly because of their hiring standards, and therefore
you have to do much of their work for them.
4) Host something politically or militarily sensitive on
the same server farm. The Men In Black will make your
attackers disappear (unlike police agencies, the
intelligence agencies *are* effective).
> Or is it generally accepted that if you have that kind of targets on your
> network that you just have to get an appliance - that is, even if the guy
> that wrote ipfw and knows the fbsd kernel inside and out still wouldn't
> even try to make that work ?
The only thing a firewall can do for you is shed load, even if
it's God's Own Firewall(tm).
-- Terry
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
