Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting

From: Jez Hancock (jez.hancock_at_munk.nu)
Date: 06/28/03

  • Next message: Etienne Ledoux: "Which filesystem can I use to access a shared Rackstorage (Raid Array)" 
    Date: Sat, 28 Jun 2003 04:53:01 +0100
To: FreeBSD ISP List <freebsd-isp@freebsd.org>

    Hi,

    Regarding your main question I'm afraid I can't really help - although
    what the other person said about not being able to do a whole lot about
    it I think is generally the case unfortunately. I run a number of
    eggdrop bots on my home network (about 20 full time bots in all, around
    100 shell users in all) and have seen a few similar DDoS attacks from
    botnets (characterized by open ports 80 and 113) which really clogged
    the system.

    Luckily in my case the last attack was a relatively simple ICMP attack
    with fragmented packets (_lots_ of them, around 30MB in 5 minutes on a
    512k ADSL connection). This was easy enough to block with ipf
    (incidentally you are using ipf aren't you:).

    Very annoying and generally I just felt like stopping my users from
    running their eggdrops (as you no doubt know there's little way to tell
    exactly what/who caused the attack to be brought about, banning one user
    who has brought it on isn't possible).

    > And a last thing, I use right now tcpdump, trafshow, ipfm to trace the source(attackers) and the destination(which one of my ips is attacked) ips. Do you suggest any other tools to make my life easier?
    lsof is very useful for gaining additional insight into network
    connections. I found the perl scripts located in the scripts directory
    to be very insightful, particularly in how to incorporate lsof into a
    custom tool.

    I particularly needed to know which eggdrop was attempting to connect to
    private address ranges which were blocked by the firewall and causing
    lots of log entries. lsof easily allowed me to determine what user
    owned the process that spawned these connection attempts
    (sockstat/netstat is ok, but filtering lsof output is a lot easier).

    Anyway, good luck,

    Regards,
    Jez
    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Etienne Ledoux: "Which filesystem can I use to access a shared Rackstorage (Raid Array)"