Re: OpenBSD and SYNFlood / DDoS protection

[ropers]

2008/7/19 Parvinder Bhasin <[EMAIL PROTECTED]>:
> This maybe dumb but won't hurt to throw this out there, maybe this has to
be
> built with combination of tools, technologies etc but i would definately
> like to first collect as much info and then maybe work on this (or maybe
the
> solution - open source is already out there , in that case I would like to
> know what :), I know of many 100K devices that will do this.
>
> Is there a way that I can setup a machine (another openbsd machine) in
front
> of an OpenBSD firewall to help against DDoS attacks?
> If so what would be proper approach in doing so (if someone has already
> approached this subject).
>
> Machine would have 2 or 3 nics (3rd nic for management maybe?).
>  You take the internet drop on the first port, say for example:  fxp0
> (external_if) .  Maybe implement SYNCOOKIE (technology).   The traffic only
> gets passed on to the firewall port throught fxp1 (internal_if) , once the
> server gets the ACK back.    Would SYNPROXY do this too??
> This machine could also be doing some form of RATE LIMITING?? maybe??
>
> Anyone ?? Anytakes??
>
> /Parvinder Bhasin

I don't mean to be impolite, but considering that these guys
<http://www.rayservers.com/ddos-protection> are the first Google hit
for "firewall ddos protection openbsd" (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.

Also from http://www.rayservers.com/ddos-protection :

> The bottom line is that whatever the appliance you use, you need upstream
bandwidth to be able to discard the attack traffic while allowing legitimate
traffic to your exisiting servers. You also need competent persons who
understand the technical issues, hardware and network bottlenecks and can put
a solution in place that is resistant to abuse that works with your budget.

--ropers