Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
DDoS Migitation Level
« previous
next »
Print
Pages: [
1
]
Author
Topic: DDoS Migitation Level (Read 9406 times)
lucifercipher
Jr. Member
Posts: 55
Karma: 9
DDoS Migitation Level
«
on:
October 19, 2015, 05:48:14 pm »
Has anyone experienced a small or medium level DDoS attack ? Please share your experiences. Today i ran an inhouse DDoS simulation and an i7 , quad core with 8 Gig of RAM boped in
Though the device knew a TCP/UDP DDoS was under way.
«
Last Edit: October 19, 2015, 05:50:31 pm by lucifercipher
»
Logged
Tikimotel
Newbie
Posts: 29
Karma: 6
Re: DDoS Migitation Level
«
Reply #1 on:
October 21, 2015, 08:32:43 pm »
Some sysctl tunable might already be set correctly, but I've included the freebsd default anyway in the description comment.
Here is part of my system->settings->system tunables:
Tunable Name
Description
Value
net.inet.tcp.syncache.rexmtlimit
Reduce the amount of SYN/ACKs the server will re-transmit to an ip address whom did not respond to the first SYN/ACK. # (default 3)
0
net.inet.ip.rtexpire
Spoofed packet attacks may be used to overload the kernel route cache.
http://www.es.freebsd.org/doc/handbook/securing-freebsd.html
(page is gone?) # (default 3600)
10
net.inet.ip.check_interface
General security and DoS mitigation: verify packet arrives on correct interface (default 0)
1
net.inet.ip.process_options
General security and DoS mitigation: ignore IP options in the incoming packets (default 1)
0
net.inet.ip.random_id
General security and DoS mitigation: assign a random IP_ID to each packet leaving the system (default 0)
1
net.inet.ip.redirect
General security and DoS mitigation: do not send IP redirects (default 1)
0
net.inet.icmp.drop_redirect
General security and DoS mitigation: no redirected ICMP packets (default 0)
1
net.inet.tcp.always_keepalive
General security and DoS mitigation: disable tcp keep alive detection for dead peers, can be spoofed (default 1)
0
net.inet.tcp.drop_synfin
General security and DoS mitigation: SYN/FIN packets get dropped on initial connection (default 0)
1
net.inet.tcp.fast_finwait2_recycle
General security and DoS mitigation: recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)
0
net.inet.tcp.msl
General security and DoS mitigation: Maximum Segment Lifetime is the time a TCP segment can exist on the network and is used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds)
5000
net.inet.tcp.path_mtu_discovery
General security and DoS mitigation: disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
0
net.inet.udp.blackhole
General security and DoS mitigation: drop udp packets destined for closed sockets (default 0)
1
net.inet.tcp.blackhole
General security and DoS mitigation: drop tcp packets destined for closed ports (default 0)
2
security.bsd.see_other_uids
General security and DoS mitigation: users only see their own processes. root can see all (default 1)
0
«
Last Edit: October 21, 2015, 08:40:30 pm by Tikimotel
»
Logged
lucifercipher
Jr. Member
Posts: 55
Karma: 9
Re: DDoS Migitation Level
«
Reply #2 on:
October 21, 2015, 09:56:35 pm »
Thank you for your reply. The basic DoS features are pretty good but DDoS is 100x more flow of wanted DoS traffic. The defaults from FreeBSD don't actually handle normal DDoS so im pretty sure that higher level DDoS attacks will kill the default installs. Its not about OPNSense being more vulnerable to DDoS attacks but the aggressive turntables needed to prevent them.
Logged
Tikimotel
Newbie
Posts: 29
Karma: 6
Re: DDoS Migitation Level
«
Reply #3 on:
October 22, 2015, 05:36:40 pm »
Well, if flow is important than you can take a look at the bsdrouter project.
http://bsdrp.net/documentation/technical_docs/performance
and in particular this blog post:
http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html
Nice to see the difference in IPFW and fastforwarding performance in this test.
Logged
lucifercipher
Jr. Member
Posts: 55
Karma: 9
Re: DDoS Migitation Level
«
Reply #4 on:
October 22, 2015, 08:24:17 pm »
Thanks for your advise but that is not an option to switch over to something else completely if a small bug/feature becomes an issue. What we can do is try to optimize it and fix the issue (if any) . The website
www.calomel.org
has pretty nice DDoS mitigation info and i am doing a rebuild of the NanoBSD alongwith other tweaks to handle DDoS better.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
DDoS Migitation Level