Jump to content
Forgot your email address? ×
×
×
  • Create New...

FreeBSD - Sysctl settings for DOS mitigation


Recommended Posts

  • Premium

I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. 

These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection.

Instructions:

1) ee /etc/sysctl.conf

2) Move to the end of the file and paste the following lines:
 

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728
tcp.path_mtu_discovery=0

3) Save and run "service sysctl restart" for the settings to take effect.

I suggest to combine these settings with rate limiting through pf for best effect.

  • Love 5

 

 

Link to comment

There are a new way to propagate DDOS attacks based on NTP (Network Time Protocol).

The version avaliable on the FreeBSD ports is still vulnerable and they have disabled it wich made me unable to upgrade to the latest version.

There are some articles about how to prevent "DDOS NTP Amplification".

I've got mine disabled until it is upgraded on (FreeBSD Ports) to the latest version.

Here's an image explaining how this type of attacks work using a Dedicated Server as an DDOS Amplificator throught the NTP vulnerability:

illustration-amplification-attack-ph3.pn

  • Love 1
Link to comment
  • 4 weeks later...

I have had a huge problem with ntp attacks too and i didn't find any solution.

Also my webhosting company kicked me out just because they were unable to filter it -.-

If anyone can make a tutorial on how to completely remove it it would be nice.

I don't see any reason of using it if i can set the time on my own.

 

Edit:

@Shogun how does worldstream allow you to host your server there?I thought with a simple fake dmca letter anyone could take down a metin2 server hosted there.

Link to comment

Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too.

Yes that's true.

 

Anyways if anyone could do a tutorial on how to remove ntp completely it would be nice because i have upgraded to FreeBSD 10.0 and i was still vulnerable.Also i have tried upgrading to the latest version which was 4.2.6 instead of 4.2.7 i don't know why :S

Link to comment
  • Premium

Just remove it from rc.conf, or if you want to use NTP but not be vulnerable to your machine getting used for reflection attacks, edit /etc/ntpf.conf and uncomment the line that says "restrict default ignore".

  • Love 1

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Announcements

  • -15% Discount in Metin2 Dev Store (01/10/2021 => 31/12/2021) => Code => 15_PCT_OCT_TO_DEC_2021


Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.