Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

On Jul 19, 2008, at 1:26 AM, ropers wrote:

2008/7/19 Parvinder Bhasin <[EMAIL PROTECTED]>:

This maybe dumb but won't hurt to throw this out there, maybe this
has to be
built with combination of tools, technologies etc but i would
definately
like to first collect as much info and then maybe work on this (or
maybe the
solution - open source is already out there , in that case I would
like to
know what :), I know of many 100K devices that will do this.

Is there a way that I can setup a machine (another openbsd machine)
in front
of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has
already
approached this subject).

Machine would have 2 or 3 nics (3rd nic for management maybe?).
You take the internet drop on the first port, say for example:  fxp0
(external_if) .  Maybe implement SYNCOOKIE (technology).   The
traffic only
gets passed on to the firewall port throught fxp1 (internal_if) ,
once the
server gets the ACK back.    Would SYNPROXY do this too??
This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin

I don't mean to be impolite, but considering that these guys
<http://www.rayservers.com/ddos-protection> are the first Google hit
for "firewall ddos protection openbsd" (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.

Perhaps I didn't make it clear..maybe but yeah..I totally know that
there are PAY solutions, like I mentioned that I know of many devices
that can achieve this.  I have done research on these devices and was
thinking maybe something ( open source - openbsd baseddevice?? maybe)
can be made to prevent this attack upstream.

So I have experienced (my network) attack that choked our GigE link to
where DDoS attack was consuming almost 500mpbs (50% of total
bandwidth) available.  We still had 500mbps more that we would've
liked to have used for our business purposes but the problem with
these attacks is that they are NOT just meant to choke the BANDWIDTH,
they are actually meant to choke the CPU and other resources on your
firewalls or any devices you have in front.

Its just that if some device was there upstream to take 50% or more
load from the firewalls (cpu resources etc) in these attacks, maybe
the firewalls won't be that busy as to stop responding to legitimate
requests.  Ofcourse BANDWIDTH consumption becomes a problem where if
you had smaller pipe than basically you are screwed.   I know that the
ISPs can provide protection and some of them have already started
doing so but at a HUGE COST per month and frankly they have their
reasons on not protecting against such attacks as why would ISPs do
the filtering for free as they are making money because of the
attack.  That is charging the customer for bandwidth usage.  Lets get
realistic they would never do that unless it becomes so much of a
problem that all their customers start seeing the ill effects of that
attack.

Bandwidth issue can be sort of tackled separately where as you are
finding command and control servers and eliminating them that way but
that's another topic.  Also when the device is sending ACKs back , you
are sort of also in another way or form ATTACKING BACK but that's just
a zombie system out there where the person is just wondering why he
cannot even google know nothing that his bandwidth is choked because
of the attack.

I just thought to throw this out to the group and see if  there was a
person/group of people who have implemented such a solution using
combination of technologies (both open source and/or monetary).  I
already see OpenBSD/PF a very good combination in defending companies
from such attacks.

Any comments are welcome :)

/Parvinder Bhasin