Jump to content
Sign in to follow this  
Shogun

Sysctl settings for DOS mitigation

Recommended Posts

I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. 

These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection.

Instructions:

1) ee /etc/sysctl.conf

2) Move to the end of the file and paste the following lines:
 

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728
tcp.path_mtu_discovery=0

3) Save and run "service sysctl restart" for the settings to take effect.

I suggest to combine these settings with rate limiting through pf for best effect.

  • Love 5

Share this post


Link to post

There are a new way to propagate DDOS attacks based on NTP (Network Time Protocol).

The version avaliable on the FreeBSD ports is still vulnerable and they have disabled it wich made me unable to upgrade to the latest version.

There are some articles about how to prevent "DDOS NTP Amplification".

I've got mine disabled until it is upgraded on (FreeBSD Ports) to the latest version.

Here's an image explaining how this type of attacks work using a Dedicated Server as an DDOS Amplificator throught the NTP vulnerability:

illustration-amplification-attack-ph3.pn

  • Love 1

Share this post


Link to post

Yeah I received a letter from Worldstream about it and changed some settings in ntpd.conf to disable the NTP server capabilities

 

If you don't use ntp you aren't affected

Share this post


Link to post

I've recently been under NTP attacks too.

 

though when checking "service ntpd onestatus" I was informed ntpd isn't even running..? Probably because it isn't set to run in rc.conf?

Share this post


Link to post

I have had a huge problem with ntp attacks too and i didn't find any solution.

Also my webhosting company kicked me out just because they were unable to filter it -.-

If anyone can make a tutorial on how to completely remove it it would be nice.

I don't see any reason of using it if i can set the time on my own.

 

Edit:

@Shogun how does worldstream allow you to host your server there?I thought with a simple fake dmca letter anyone could take down a metin2 server hosted there.

Share this post


Link to post

they can, I also don't understand why he likes worldstream.. several people have been shut down there, including me with AlpineMT2.

Share this post


Link to post

Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too.

  • Love 1

Share this post


Link to post

Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too.

Yes that's true.

 

Anyways if anyone could do a tutorial on how to remove ntp completely it would be nice because i have upgraded to FreeBSD 10.0 and i was still vulnerable.Also i have tried upgrading to the latest version which was 4.2.6 instead of 4.2.7 i don't know why :S

Share this post


Link to post

Just remove it from rc.conf, or if you want to use NTP but not be vulnerable to your machine getting used for reflection attacks, edit /etc/ntpf.conf and uncomment the line that says "restrict default ignore".

  • Love 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.