DDoS Migitation Level

[lucifercipher]

Has anyone experienced a small or medium level DDoS attack ? Please share your experiences. Today i ran an inhouse DDoS simulation and an i7 , quad core with 8 Gig of RAM boped in Though the device knew a TCP/UDP DDoS was under way.

[Tikimotel]

Some sysctl tunable might already be set correctly, but I've included the freebsd default anyway in the description comment.

Here is part of my system->settings->system tunables:

Tunable Name	Description	Value
net.inet.tcp.syncache.rexmtlimit	Reduce the amount of SYN/ACKs the server will re-transmit to an ip address whom did not respond to the first SYN/ACK. # (default 3)	0
net.inet.ip.rtexpire	Spoofed packet attacks may be used to overload the kernel route cache. http://www.es.freebsd.org/doc/handbook/securing-freebsd.html (page is gone?) # (default 3600)	10
net.inet.ip.check_interface	General security and DoS mitigation: verify packet arrives on correct interface (default 0)	1
net.inet.ip.process_options	General security and DoS mitigation: ignore IP options in the incoming packets (default 1)	0
net.inet.ip.random_id	General security and DoS mitigation: assign a random IP_ID to each packet leaving the system (default 0)	1
net.inet.ip.redirect	General security and DoS mitigation: do not send IP redirects (default 1)	0
net.inet.icmp.drop_redirect	General security and DoS mitigation: no redirected ICMP packets (default 0)	1
net.inet.tcp.always_keepalive	General security and DoS mitigation: disable tcp keep alive detection for dead peers, can be spoofed (default 1)	0
net.inet.tcp.drop_synfin	General security and DoS mitigation: SYN/FIN packets get dropped on initial connection (default 0)	1
net.inet.tcp.fast_finwait2_recycle	General security and DoS mitigation: recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)	0
net.inet.tcp.msl	General security and DoS mitigation: Maximum Segment Lifetime is the time a TCP segment can exist on the network and is used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds)	5000
net.inet.tcp.path_mtu_discovery	General security and DoS mitigation: disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)	0
net.inet.udp.blackhole	General security and DoS mitigation: drop udp packets destined for closed sockets (default 0)	1
net.inet.tcp.blackhole	General security and DoS mitigation: drop tcp packets destined for closed ports (default 0)	2
security.bsd.see_other_uids	General security and DoS mitigation: users only see their own processes. root can see all (default 1)	0

[lucifercipher]

Thank you for your reply. The basic DoS features are pretty good but DDoS is 100x more flow of wanted DoS traffic. The defaults from FreeBSD don't actually handle normal DDoS so im pretty sure that higher level DDoS attacks will kill the default installs. Its not about OPNSense being more vulnerable to DDoS attacks but the aggressive turntables needed to prevent them.

[Tikimotel]

Well, if flow is important than you can take a look at the bsdrouter project.

http://bsdrp.net/documentation/technical_docs/performance

and in particular this blog post:
http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html

Nice to see the difference in IPFW and fastforwarding performance in this test.

[lucifercipher]

Thanks for your advise but that is not an option to switch over to something else completely if a small bug/feature becomes an issue. What we can do is try to optimize it and fix the issue (if any) . The website www.calomel.org has pretty nice DDoS mitigation info and i am doing a rebuild of the NanoBSD alongwith other tweaks to handle DDoS better.