Re: DDOS Attack!!!who can help me?
There are exemples for this configuration?
Thanks,
Denis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, July 29, 2005 4:12 AM
To: Sean Knox
Cc: jeff; misc@openbsd.org; jking1
Subject: Re: DDOS Attack!!!who can help me?
Define a filter to drop the packets with SYN+FIN flags set.
Mihai
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 } set limit
states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP
packet.
If an attacker is exhausting your pipe, all the firewalling in the
world won't help. You'll have to have upstream ISPs route the packets
into /dev/null.
sk
Re: DDOS Attack!!!who can help me?
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
-Jeff
Re: DDOS Attack!!!who can help me?
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP packet.
If an attacker is exhausting your pipe, all the firewalling in the world
won't help. You'll have to have upstream ISPs route the packets into
/dev/null.
sk
Re: DDOS Attack!!!who can help me?
Define a filter to drop the packets with SYN+FIN flags set.
Mihai
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP packet.
If an attacker is exhausting your pipe, all the firewalling in the world
won't help. You'll have to have upstream ISPs route the packets into
/dev/null.
sk
Re: DDOS Attack!!!who can help me?
Disable logging since it takes up a lot of resources and ``set block-policy drop'' so your machine won't attempt to reply to bogus requests. Normally I'm not in favour of these measures. Logging a ddoss for a while must be done to gather evidence, logging must done at all other times as well. It won't help your connection but at least your machine becomes responsive again. # Han
Re: DDOS Attack!!!who can help me?
With DOS, there was something you could do. With DDOS, you will have to either get a huge pipe and systems to just take it, or move and have your ISP do something like http://www.secsup.org/Tracking/
Re: DDOS Attack!!!who can help me?
tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. sk
