Hi-- On Sep 25, 2013, at 10:23 AM, NetOps Admin <netops.ad...@epsb.ca> wrote: > Hi, > We are currently getting hit with a DoS attack that looks very > similar to a Fraggle attack. We are seeing a large amount of UDP traffic > coming at us from thousands of hosts. The source UDP port is 19 (chargen) > and when it hits it consumes a 2Gb/s link.
OK. You should get your ISP or whatever upstream connectivity provider to filter out the malicious traffic before it hits your 2Gb/s link. > Our main router is a FreeBSD server with ipfw installed. I have > tried blocking UDP port 19 incoming from the internet in a firewall rule > but the UDP packets are very large and they are followed by a number of > fragmented packets. I think that even though I am blocking port 19, the > fragmented packets are getting though and eating up the bandwidth. Right...filtering this UDP traffic on your side is already too late, because your bandwidth is already being chewed up. > I am a little hesitant of using a UDP deny rule with "keep-state" to > try and block the following fragmented packets. I don't want to cause > memory issues. Assuming PMTUD is working, it's not normal to receive any significant # of fragmented packets over the WAN. Normally you only get them for local net traffic, ie, NFS using 64K UDP packet size or similar. You can likely drop fragmented UDP traffic entirely, although it won't help much because your bandwidth is still being used. > Can I use keep-state with a deny rules? Will it have issues if I use > keep-state to track thousands of hosts in a saturated 2 Gb/s link? I believe yes and no, respectively; on the other hand, doing stateful tracking of DoS traffic which you want to discard doesn't strike me as very useful, either. > Any ideas on how others are controlling this? You need to filter the malicious traffic before it hits your pipe, as much as possible. Your ISP should be willing to help make that happen; on a good day, they might even try to block ingress of the malicious traffic before it wastes their resources, rather than just working to filter the last step before your pipe. Regards, -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
