On Sep 4, 2008, at 12:23 PM, Redd Vinylene wrote:
I was quite shocked today when I heard I could use pf to block
against DDoS
attacks, using Stateful Tracking Options,
http://www.openbsd.org/faq/pf/filter.html#stateopts.
But does anybody have any nice setups of this they'd want to share?
I'd not describe that as an anti-DDoS capability. It's hard to simply
write a direct pf.conf that'll handle most attacks like this.
On the other hand, bruteforce DDoS attacks are pretty easy to find and
block, once you know what you're looking for. For example, too many
requests to a specific port might be a bruteforce attack, so tagging
that stream and assigning it to a specific low priority queue (or just
outright blocking) may work well (basically via overload rulesets in
pf.conf and altq).
But, most DDoS attacks aren't layer 7 (application), they're generally
layer 3 (network), and use ICMP, UDP, or TCP, and due to how delivery
of the packets will happen it can still saturate your line.
Of course, you can synproxy at the firewall for inbound TCP packets,
and hopefully preserve performance for the application behind it, and
simply permit the session to establish AFTER the handshake completed.
My likely assumption is that the same host hitting ports 80 and 443
too rapidly with too many requests may be an attacker, but it might be
a browser that's just configured to connect with multiple requests at
the same time (custom network.http.pipelining.maxrequests in Firefox,
for example). So outright blocking the IP could alienate some clients.
It would be better to assign to a low BW or low priority queue via
altq for a given table.
I've really put too much thought in to this.
-jb
