Jump to content
  • 0

AntiDDoS


florinrevine

Question

Hi, I have a big problem.

 

My server is under attack.

 

Firewall used:

+ sysctl

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728

+ pf.conf

ext_if="xn0"
 
service_ports="{ 3306, 3004 }"
game_ports="{ 40000, 41110, 41200, 41300, 49100, 49200, 42110, 42200, 53, 80 }"
table <trusted_hosts> const {  92.87.16.1 }
table <abusive_hosts> persist file "/usr/home/game/BANIP.txt"
 
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
 
scrub on $ext_if reassemble tcp no-df random-id
 
antispoof quick for { lo0 $ext_if }
 
block in
 
pass out all keep state
pass out on $ext_if all modulate state
 
pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>
 
pass in inet proto icmp all icmp-type echoreq
 
pass in on $ext_if proto tcp to <trused_hosts> port $service_ports flags S/SA keep state 
(max-src-conn-rate 15/1, overload <abusive_hosts> flush)
 
pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state 
(max-src-conn-rate 15/5, overload <abusive_hosts> flush)


+ ipfw.rules

IPF="ipfw -q add"
ipfw -q -f flush

##Custom-Rules
#P2P Ports
$IPF 1 allow all from me to any 30000
$IPF 2 allow all from 127.0.0.0/8 to any 30000
$IPF 3 deny all from any to me 30000
$IPF 4 allow all from me to any 30011
$IPF 5 allow all from 127.0.0.0/8 to any 30011
$IPF 6 deny all from any to me 30011
$IPF 7 allow all from me to any 30012
$IPF 8 allow all from 127.0.0.0/8 to any 30012
$IPF 9 deny all from any to me 30012
$IPF 10 allow all from me to any 30013
$IPF 11 allow all from 127.0.0.0/8 to any 30013
$IPF 12 deny all from any to me 30013
$IPF 13 allow all from me to any 30091
$IPF 14 allow all from 127.0.0.0/8 to any 30091
$IPF 15 deny all from any to me 30091
$IPF 16 allow all from me to any 30092
$IPF 17 allow all from 127.0.0.0/8 to any 30092
$IPF 18 deny all from any to me 30092
$IPF 19 allow all from me to any 30021
$IPF 20 allow all from 127.0.0.0/8 to any 30021
$IPF 21 deny all from any to me 30021
$IPF 22 allow all from me to any 30022
$IPF 23 allow all from 127.0.0.0/8 to any 30022
$IPF 24 deny all from any to me 30022

#Game Ports
ipfw add 25 allow tcp from any to any dst-port 40000 in via xn0 setup limit src-addr 2
ipfw add 26 allow tcp from any to any dst-port 41110 in via xn0 setup limit src-addr 2
ipfw add 27 allow tcp from any to any dst-port 41200 in via xn0 setup limit src-addr 2
ipfw add 28 allow tcp from any to any dst-port 41300 in via xn0 setup limit src-addr 2
ipfw add 29 allow tcp from any to any dst-port 49100 in via xn0 setup limit src-addr 2
ipfw add 30 allow tcp from any to any dst-port 49200 in via xn0 setup limit src-addr 2
ipfw add 31 allow tcp from any to any dst-port 42110 in via xn0 setup limit src-addr 2
ipfw add 32 allow tcp from any to any dst-port 42200 in via xn0 setup limit src-addr 2
ipfw add 32 allow tcp from any to any dst-port 53 in via xn0 setup limit src-addr 2
ipfw add 32 allow tcp from any to any dst-port 80 in via xn0 setup limit src-addr 2
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$IPF allow all from any to any via lo0
$IPF deny all from any to 127.0.0.0/8
$IPF deny all from 127.0.0.0/8 to any
$IPF deny tcp from any to any frag

##Standart Regeln
$IPF check-state
$IPF deny tcp from any to any established
$IPF allow all from any to any out keep-state
$IPF deny icmp from any to any


When i am under attack pf.conf  and firewall.rules give much rows of errors (can not drop, too much sockets or something like this).

 

I used pfctl -si and I saw there in just 2 seconds 25 000 connections.

 

Any idea to solve it ?

Link to comment

2 answers to this question

Recommended Posts

  • 0

A full fledged attack can't be defeated with software running on your webserver.  If the attack is that big and saturates your internet bandwith, the only solution is to ask your internet access provider to null route the attackers IPs on its core network. Your best solution is to choose a provider with a network layer of DDoS protection.

  • Love 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.