Re: DDOS Attack!!!who can help me?
There are exemples for this configuration? Thanks, Denis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, July 29, 2005 4:12 AM To: Sean Knox Cc: jeff; misc@openbsd.org; jking1 Subject: Re: DDOS Attack!!!who can help me? Define a filter to drop the packets with SYN+FIN flags set. Mihai jeff wrote: Sean Knox wrote: tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. I once added this to pf.conf to mitigate a DDoS. It appeared to have worked, but it may have been a placebo effect ;) set optimization aggressive set timeout tcp.first 45 set timeout tcp.established 43200 set timeout { adaptive.start 3, adaptive.end 45000 } set limit states 4 This might help with a SYN attack as long you still have available bandwidth. Additionally, this wouldn't help against any non-TCP packet. If an attacker is exhausting your pipe, all the firewalling in the world won't help. You'll have to have upstream ISPs route the packets into /dev/null. sk
Re: DDOS Attack!!!who can help me?
Sean Knox wrote: tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. I once added this to pf.conf to mitigate a DDoS. It appeared to have worked, but it may have been a placebo effect ;) set optimization aggressive set timeout tcp.first 45 set timeout tcp.established 43200 set timeout { adaptive.start 3, adaptive.end 45000 } set limit states 4 -Jeff
Re: DDOS Attack!!!who can help me?
jeff wrote: Sean Knox wrote: tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. I once added this to pf.conf to mitigate a DDoS. It appeared to have worked, but it may have been a placebo effect ;) set optimization aggressive set timeout tcp.first 45 set timeout tcp.established 43200 set timeout { adaptive.start 3, adaptive.end 45000 } set limit states 4 This might help with a SYN attack as long you still have available bandwidth. Additionally, this wouldn't help against any non-TCP packet. If an attacker is exhausting your pipe, all the firewalling in the world won't help. You'll have to have upstream ISPs route the packets into /dev/null. sk
Re: DDOS Attack!!!who can help me?
Define a filter to drop the packets with SYN+FIN flags set. Mihai jeff wrote: Sean Knox wrote: tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. I once added this to pf.conf to mitigate a DDoS. It appeared to have worked, but it may have been a placebo effect ;) set optimization aggressive set timeout tcp.first 45 set timeout tcp.established 43200 set timeout { adaptive.start 3, adaptive.end 45000 } set limit states 4 This might help with a SYN attack as long you still have available bandwidth. Additionally, this wouldn't help against any non-TCP packet. If an attacker is exhausting your pipe, all the firewalling in the world won't help. You'll have to have upstream ISPs route the packets into /dev/null. sk
Re: DDOS Attack!!!who can help me?
Disable logging since it takes up a lot of resources and ``set block-policy drop'' so your machine won't attempt to reply to bogus requests. Normally I'm not in favour of these measures. Logging a ddoss for a while must be done to gather evidence, logging must done at all other times as well. It won't help your connection but at least your machine becomes responsive again. # Han
Re: DDOS Attack!!!who can help me?
With DOS, there was something you could do. With DDOS, you will have to either get a huge pipe and systems to just take it, or move and have your ISP do something like http://www.secsup.org/Tracking/
Re: DDOS Attack!!!who can help me?
tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. sk