Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Ryan McBride 
synproxy in pf already makes sure the 3-way handshake completes before
the connection is completed on the other side; rate limiting can also be
done on the OpenBSD firewall, so it's not clear why you would need an
extra box there.

The bigger problem with DDoS attacks is that the upstream pipe is filled
up with traffic, and no matter how much technology you deploy at your
end of the pipe, it's still going to be full. Rate limiting and such
needs to be deployed further out, at your ISP, and possibly further
upstream.

Also, it would help if all ISP's implemented proper egress filtering to
prevent spoofing.

On Fri, Jul 18, 2008 at 10:27:36PM -0700, Parvinder Bhasin wrote:
 This maybe dumb but won't hurt to throw this out there, maybe this has  
 to be built with combination of tools, technologies etc but i would  
 definately like to first collect as much info and then maybe work on  
 this (or maybe the solution - open source is already out there , in that 
 case I would like to know what :), I know of many 100K devices that will 
 do this.

 Is there a way that I can setup a machine (another openbsd machine) in  
 front of an OpenBSD firewall to help against DDoS attacks?
 If so what would be proper approach in doing so (if someone has already 
 approached this subject).

 Machine would have 2 or 3 nics (3rd nic for management maybe?).
   You take the internet drop on the first port, say for example:  fxp0 
 (external_if) .  Maybe implement SYNCOOKIE (technology).   The traffic 
 only gets passed on to the firewall port throught fxp1 (internal_if) , 
 once the server gets the ACK back.Would SYNPROXY do this too??
 This machine could also be doing some form of RATE LIMITING?? maybe??

 Anyone ?? Anytakes??

 /Parvinder Bhasin


--

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread ropers 
2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:
 This maybe dumb but won't hurt to throw this out there, maybe this has to
be
 built with combination of tools, technologies etc but i would definately
 like to first collect as much info and then maybe work on this (or maybe
the
 solution - open source is already out there , in that case I would like to
 know what :), I know of many 100K devices that will do this.

 Is there a way that I can setup a machine (another openbsd machine) in
front
 of an OpenBSD firewall to help against DDoS attacks?
 If so what would be proper approach in doing so (if someone has already
 approached this subject).

 Machine would have 2 or 3 nics (3rd nic for management maybe?).
  You take the internet drop on the first port, say for example:  fxp0
 (external_if) .  Maybe implement SYNCOOKIE (technology).   The traffic only
 gets passed on to the firewall port throught fxp1 (internal_if) , once the
 server gets the ACK back.Would SYNPROXY do this too??
 This machine could also be doing some form of RATE LIMITING?? maybe??

 Anyone ?? Anytakes??

 /Parvinder Bhasin

I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.

Also from http://www.rayservers.com/ddos-protection :

 The bottom line is that whatever the appliance you use, you need upstream
bandwidth to be able to discard the attack traffic while allowing legitimate
traffic to your exisiting servers. You also need competent persons who
understand the technical issues, hardware and network bottlenecks and can put
a solution in place that is resistant to abuse that works with your budget.

--ropers

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Henning Brauer 
* Ryan McBride [EMAIL PROTECTED] [2008-07-19 10:16]:
 The bigger problem with DDoS attacks is that the upstream pipe is filled
 up with traffic

that was true in the 90s, and maybe the first half of this decade, but
really isn't any more. Most server installs I have worked with have
the pipe limit at 100 MBit/s at their lan port. A DoS with 5 MBit/s
can be very effective.

 Also, it would help if all ISP's implemented proper egress filtering to
 prevent spoofing.

!!!

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Parvinder Bhasin 

On Jul 19, 2008, at 1:26 AM, ropers wrote:


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:

This maybe dumb but won't hurt to throw this out there, maybe this
has to be
built with combination of tools, technologies etc but i would
definately
like to first collect as much info and then maybe work on this (or
maybe the
solution - open source is already out there , in that case I would
like to
know what :), I know of many 100K devices that will do this.

Is there a way that I can setup a machine (another openbsd machine)
in front
of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has
already
approached this subject).

Machine would have 2 or 3 nics (3rd nic for management maybe?).
You take the internet drop on the first port, say for example:  fxp0
(external_if) .  Maybe implement SYNCOOKIE (technology).   The
traffic only
gets passed on to the firewall port throught fxp1 (internal_if) ,
once the
server gets the ACK back.Would SYNPROXY do this too??
This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.



Perhaps I didn't make it clear..maybe but yeah..I totally know that
there are PAY solutions, like I mentioned that I know of many devices
that can achieve this.  I have done research on these devices and was
thinking maybe something ( open source - openbsd baseddevice?? maybe)
can be made to prevent this attack upstream.

So I have experienced (my network) attack that choked our GigE link to
where DDoS attack was consuming almost 500mpbs (50% of total
bandwidth) available.  We still had 500mbps more that we would've
liked to have used for our business purposes but the problem with
these attacks is that they are NOT just meant to choke the BANDWIDTH,
they are actually meant to choke the CPU and other resources on your
firewalls or any devices you have in front.

Its just that if some device was there upstream to take 50% or more
load from the firewalls (cpu resources etc) in these attacks, maybe
the firewalls won't be that busy as to stop responding to legitimate
requests.  Ofcourse BANDWIDTH consumption becomes a problem where if
you had smaller pipe than basically you are screwed.   I know that the
ISPs can provide protection and some of them have already started
doing so but at a HUGE COST per month and frankly they have their
reasons on not protecting against such attacks as why would ISPs do
the filtering for free as they are making money because of the
attack.  That is charging the customer for bandwidth usage.  Lets get
realistic they would never do that unless it becomes so much of a
problem that all their customers start seeing the ill effects of that
attack.

Bandwidth issue can be sort of tackled separately where as you are
finding command and control servers and eliminating them that way but
that's another topic.  Also when the device is sending ACKs back , you
are sort of also in another way or form ATTACKING BACK but that's just
a zombie system out there where the person is just wondering why he
cannot even google know nothing that his bandwidth is choked because
of the attack.

I just thought to throw this out to the group and see if  there was a
person/group of people who have implemented such a solution using
combination of technologies (both open source and/or monetary).  I
already see OpenBSD/PF a very good combination in defending companies
from such attacks.

Any comments are welcome :)

/Parvinder Bhasin

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread ropers 
 On Jul 19, 2008, at 1:26 AM, ropers wrote:

 I don't mean to be impolite, but considering that these guys
 http://www.rayservers.com/ddos-protection are the first Google hit
 for firewall ddos protection openbsd (w/o quotation marks), it would
 seem to me that you maybe didn't Use Teh Google.

2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:

 Perhaps I didn't make it clear..maybe but yeah..I totally know that there
 are PAY solutions, like I mentioned that I know of many devices that can
 achieve this.  I have done research on these devices and was thinking maybe
 something ( open source - openbsd baseddevice?? maybe) can be made to
 prevent this attack upstream.

I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Henning Brauer 
* Parvinder Bhasin [EMAIL PROTECTED] [2008-07-19 23:12]:
 Perhaps I didn't make it clear..maybe but yeah..I totally know that
 there are PAY solutions, like I mentioned that I know of many devices
 that can achieve this.  I have done research on these devices and was
 thinking maybe something ( open source - openbsd baseddevice?? maybe)
 can be made to prevent this attack

yes, sure. I have used OpenBSD to fight various forms of (D)DoS
multiple times.
How?
Different each and every time.
It depends on the form of the attack.

These plug that in and you don't have DDoS devices cannot work.
There are some that do clever things to detect anomalies and help you
fighting back. Some are even OpenBSD based. Just fiighting abck
doesn't require these usually, but an experienced and clueful person.
That you still need even with these kind of devices.

But there is no plug and play solution, in any way.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Parvinder Bhasin 

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers


 LoL:) didn't get a word out of it but yeah I think you took my
suggestion of all comments are welcome to the next level

Cheers!

Re: OpenBSD and SYNFlood / DDoS protection

2008-07-19 Thread Parvinder Bhasin 

btw:  Ropers Thanks for the link.

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers

OpenBSD and SYNFlood / DDoS protection

2008-07-18 Thread Parvinder Bhasin 
This maybe dumb but won't hurt to throw this out there, maybe this has  
to be built with combination of tools, technologies etc but i would  
definately like to first collect as much info and then maybe work on  
this (or maybe the solution - open source is already out there , in  
that case I would like to know what :), I know of many 100K devices  
that will do this.


Is there a way that I can setup a machine (another openbsd machine) in  
front of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has  
already approached this subject).


Machine would have 2 or 3 nics (3rd nic for management maybe?).
  You take the internet drop on the first port, say for example:   
fxp0 (external_if) .  Maybe implement SYNCOOKIE (technology).   The  
traffic only gets passed on to the firewall port throught fxp1  
(internal_if) , once the server gets the ACK back.Would SYNPROXY  
do this too??

This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin