OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: lucifercipher on October 19, 2015, 05:48:14 pm

Title: DDoS Migitation Level
Post by: lucifercipher on October 19, 2015, 05:48:14 pm
Has anyone experienced a small or medium level DDoS attack ? Please share your experiences. Today i ran an inhouse DDoS simulation and an i7 , quad core with 8 Gig of RAM boped in :) Though the device knew a TCP/UDP DDoS was under way.
Title: Re: DDoS Migitation Level
Post by: Tikimotel on October 21, 2015, 08:32:43 pm
Some sysctl tunable might already be set correctly, but I've included the freebsd default anyway in the description comment.

Here is part of my system->settings->system tunables:
Tunable NameDescriptionValue
net.inet.tcp.syncache.rexmtlimitReduce the amount of SYN/ACKs the server will re-transmit to an ip address whom did not respond to the first SYN/ACK. # (default 3)0
net.inet.ip.rtexpireSpoofed packet attacks may be used to overload the kernel route cache. http://www.es.freebsd.org/doc/handbook/securing-freebsd.html (page is gone?) # (default 3600)10
net.inet.ip.check_interfaceGeneral security and DoS mitigation: verify packet arrives on correct interface (default 0)1
net.inet.ip.process_optionsGeneral security and DoS mitigation: ignore IP options in the incoming packets (default 1)0
net.inet.ip.random_idGeneral security and DoS mitigation: assign a random IP_ID to each packet leaving the system (default 0)1
net.inet.ip.redirectGeneral security and DoS mitigation: do not send IP redirects (default 1)0
net.inet.icmp.drop_redirectGeneral security and DoS mitigation: no redirected ICMP packets (default 0)1
net.inet.tcp.always_keepaliveGeneral security and DoS mitigation: disable tcp keep alive detection for dead peers, can be spoofed (default 1)0
net.inet.tcp.drop_synfinGeneral security and DoS mitigation: SYN/FIN packets get dropped on initial connection (default 0)1
net.inet.tcp.fast_finwait2_recycleGeneral security and DoS mitigation: recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)0
net.inet.tcp.mslGeneral security and DoS mitigation: Maximum Segment Lifetime is the time a TCP segment can exist on the network and is used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds)5000
net.inet.tcp.path_mtu_discoveryGeneral security and DoS mitigation: disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)0
net.inet.udp.blackholeGeneral security and DoS mitigation: drop udp packets destined for closed sockets (default 0)1
net.inet.tcp.blackholeGeneral security and DoS mitigation: drop tcp packets destined for closed ports (default 0)2
security.bsd.see_other_uidsGeneral security and DoS mitigation: users only see their own processes. root can see all (default 1)0
Title: Re: DDoS Migitation Level
Post by: lucifercipher on October 21, 2015, 09:56:35 pm
Thank you for your reply. The basic DoS features are pretty good but DDoS is 100x more flow of wanted DoS traffic. The defaults from FreeBSD don't actually handle normal DDoS so im pretty sure that higher level DDoS attacks will kill the default installs. Its not about OPNSense being more vulnerable to DDoS attacks but the aggressive turntables needed to prevent them.
Title: Re: DDoS Migitation Level
Post by: Tikimotel on October 22, 2015, 05:36:40 pm
Well, if flow is important than you can take a look at the bsdrouter project.


and in particular this blog post:

Nice to see the difference in IPFW and fastforwarding performance in this test.
Title: Re: DDoS Migitation Level
Post by: lucifercipher on October 22, 2015, 08:24:17 pm
Thanks for your advise but that is not an option to switch over to something else completely if a small bug/feature becomes an issue. What we can do is try to optimize it and fix the issue (if any) . The website www.calomel.org has pretty nice DDoS mitigation info and i am doing a rebuild of the NanoBSD alongwith other tweaks to handle DDoS better.