Re: OpenBSD and SYNFlood / DDoS protection
synproxy in pf already makes sure the 3-way handshake completes before the connection is completed on the other side; rate limiting can also be done on the OpenBSD firewall, so it's not clear why you would need an extra box there. The bigger problem with DDoS attacks is that the upstream pipe is filled up with traffic, and no matter how much technology you deploy at your end of the pipe, it's still going to be full. Rate limiting and such needs to be deployed further out, at your ISP, and possibly further upstream. Also, it would help if all ISP's implemented proper egress filtering to prevent spoofing. On Fri, Jul 18, 2008 at 10:27:36PM -0700, Parvinder Bhasin wrote: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin --
Re: OpenBSD and SYNFlood / DDoS protection
2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. Also from http://www.rayservers.com/ddos-protection : The bottom line is that whatever the appliance you use, you need upstream bandwidth to be able to discard the attack traffic while allowing legitimate traffic to your exisiting servers. You also need competent persons who understand the technical issues, hardware and network bottlenecks and can put a solution in place that is resistant to abuse that works with your budget. --ropers
Re: OpenBSD and SYNFlood / DDoS protection
* Ryan McBride [EMAIL PROTECTED] [2008-07-19 10:16]: The bigger problem with DDoS attacks is that the upstream pipe is filled up with traffic that was true in the 90s, and maybe the first half of this decade, but really isn't any more. Most server installs I have worked with have the pipe limit at 100 MBit/s at their lan port. A DoS with 5 MBit/s can be very effective. Also, it would help if all ISP's implemented proper egress filtering to prevent spoofing. !!! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 1:26 AM, ropers wrote: 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. So I have experienced (my network) attack that choked our GigE link to where DDoS attack was consuming almost 500mpbs (50% of total bandwidth) available. We still had 500mbps more that we would've liked to have used for our business purposes but the problem with these attacks is that they are NOT just meant to choke the BANDWIDTH, they are actually meant to choke the CPU and other resources on your firewalls or any devices you have in front. Its just that if some device was there upstream to take 50% or more load from the firewalls (cpu resources etc) in these attacks, maybe the firewalls won't be that busy as to stop responding to legitimate requests. Ofcourse BANDWIDTH consumption becomes a problem where if you had smaller pipe than basically you are screwed. I know that the ISPs can provide protection and some of them have already started doing so but at a HUGE COST per month and frankly they have their reasons on not protecting against such attacks as why would ISPs do the filtering for free as they are making money because of the attack. That is charging the customer for bandwidth usage. Lets get realistic they would never do that unless it becomes so much of a problem that all their customers start seeing the ill effects of that attack. Bandwidth issue can be sort of tackled separately where as you are finding command and control servers and eliminating them that way but that's another topic. Also when the device is sending ACKs back , you are sort of also in another way or form ATTACKING BACK but that's just a zombie system out there where the person is just wondering why he cannot even google know nothing that his bandwidth is choked because of the attack. I just thought to throw this out to the group and see if there was a person/group of people who have implemented such a solution using combination of technologies (both open source and/or monetary). I already see OpenBSD/PF a very good combination in defending companies from such attacks. Any comments are welcome :) /Parvinder Bhasin
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers
Re: OpenBSD and SYNFlood / DDoS protection
* Parvinder Bhasin [EMAIL PROTECTED] [2008-07-19 23:12]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack yes, sure. I have used OpenBSD to fight various forms of (D)DoS multiple times. How? Different each and every time. It depends on the form of the attack. These plug that in and you don't have DDoS devices cannot work. There are some that do clever things to detect anomalies and help you fighting back. Some are even OpenBSD based. Just fiighting abck doesn't require these usually, but an experienced and clueful person. That you still need even with these kind of devices. But there is no plug and play solution, in any way. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 2:31 PM, ropers wrote: On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers LoL:) didn't get a word out of it but yeah I think you took my suggestion of all comments are welcome to the next level Cheers!
Re: OpenBSD and SYNFlood / DDoS protection
btw: Ropers Thanks for the link. On Jul 19, 2008, at 2:31 PM, ropers wrote: On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers
OpenBSD and SYNFlood / DDoS protection
This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin