Jump to content

FreeBSD - Sysctl settings for DOS mitigation


Recommended Posts

  • Premium

I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. 

These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection.

Instructions:

1) ee /etc/sysctl.conf

2) Move to the end of the file and paste the following lines:
 

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728
tcp.path_mtu_discovery=0

3) Save and run "service sysctl restart" for the settings to take effect.

I suggest to combine these settings with rate limiting through pf for best effect.

  • Love 5
Link to comment
Share on other sites

There are a new way to propagate DDOS attacks based on NTP (Network Time Protocol).

The version avaliable on the FreeBSD ports is still vulnerable and they have disabled it wich made me unable to upgrade to the latest version.

There are some articles about how to prevent "DDOS NTP Amplification".

I've got mine disabled until it is upgraded on (FreeBSD Ports) to the latest version.

Here's an image explaining how this type of attacks work using a Dedicated Server as an DDOS Amplificator throught the NTP vulnerability:

illustration-amplification-attack-ph3.pn

Edited by Metin2 Dev
Core X - External 2 Internal
  • Love 1
Link to comment
Share on other sites

  • 4 weeks later...

I have had a huge problem with ntp attacks too and i didn't find any solution.

Also my webhosting company kicked me out just because they were unable to filter it -.-

If anyone can make a tutorial on how to completely remove it it would be nice.

I don't see any reason of using it if i can set the time on my own.

 

Edit:

@Shogun how does worldstream allow you to host your server there?I thought with a simple fake dmca letter anyone could take down a metin2 server hosted there.

Link to comment
Share on other sites

Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too.

Yes that's true.

 

Anyways if anyone could do a tutorial on how to remove ntp completely it would be nice because i have upgraded to FreeBSD 10.0 and i was still vulnerable.Also i have tried upgrading to the latest version which was 4.2.6 instead of 4.2.7 i don't know why :S

Link to comment
Share on other sites

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.