Has anyone experienced a small or medium level DDoS attack ? Please share your experiences. Today i ran an inhouse DDoS simulation and an i7 , quad core with 8 Gig of RAM boped in :) Though the device knew a TCP/UDP DDoS was under way.
Some sysctl tunable might already be set correctly, but I've included the freebsd default anyway in the description comment.
Here is part of my system->settings->system tunables:
Tunable Name | Description | Value |
net.inet.tcp.syncache.rexmtlimit | Reduce the amount of SYN/ACKs the server will re-transmit to an ip address whom did not respond to the first SYN/ACK. # (default 3) | 0 |
net.inet.ip.rtexpire | Spoofed packet attacks may be used to overload the kernel route cache. http://www.es.freebsd.org/doc/handbook/securing-freebsd.html (page is gone?) # (default 3600) | 10 |
net.inet.ip.check_interface | General security and DoS mitigation: verify packet arrives on correct interface (default 0) | 1 |
net.inet.ip.process_options | General security and DoS mitigation: ignore IP options in the incoming packets (default 1) | 0 |
net.inet.ip.random_id | General security and DoS mitigation: assign a random IP_ID to each packet leaving the system (default 0) | 1 |
net.inet.ip.redirect | General security and DoS mitigation: do not send IP redirects (default 1) | 0 |
net.inet.icmp.drop_redirect | General security and DoS mitigation: no redirected ICMP packets (default 0) | 1 |
net.inet.tcp.always_keepalive | General security and DoS mitigation: disable tcp keep alive detection for dead peers, can be spoofed (default 1) | 0 |
net.inet.tcp.drop_synfin | General security and DoS mitigation: SYN/FIN packets get dropped on initial connection (default 0) | 1 |
net.inet.tcp.fast_finwait2_recycle | General security and DoS mitigation: recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) | 0 |
net.inet.tcp.msl | General security and DoS mitigation: Maximum Segment Lifetime is the time a TCP segment can exist on the network and is used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds) | 5000 |
net.inet.tcp.path_mtu_discovery | General security and DoS mitigation: disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) | 0 |
net.inet.udp.blackhole | General security and DoS mitigation: drop udp packets destined for closed sockets (default 0) | 1 |
net.inet.tcp.blackhole | General security and DoS mitigation: drop tcp packets destined for closed ports (default 0) | 2 |
security.bsd.see_other_uids | General security and DoS mitigation: users only see their own processes. root can see all (default 1) | 0 |
Thank you for your reply. The basic DoS features are pretty good but DDoS is 100x more flow of wanted DoS traffic. The defaults from FreeBSD don't actually handle normal DDoS so im pretty sure that higher level DDoS attacks will kill the default installs. Its not about OPNSense being more vulnerable to DDoS attacks but the aggressive turntables needed to prevent them.
Well, if flow is important than you can take a look at the bsdrouter project.
http://bsdrp.net/documentation/technical_docs/performance
and in particular this blog post:
http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html
Nice to see the difference in IPFW and fastforwarding performance in this test.
Thanks for your advise but that is not an option to switch over to something else completely if a small bug/feature becomes an issue. What we can do is try to optimize it and fix the issue (if any) . The website www.calomel.org has pretty nice DDoS mitigation info and i am doing a rebuild of the NanoBSD alongwith other tweaks to handle DDoS better.