Jump to content
×
×
  • Create New...

FreeBSD - Sysctl settings for DOS mitigation


Shogun

Recommended Posts

  • Premium

I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. 

These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection.

Instructions:

1) ee /etc/sysctl.conf

2) Move to the end of the file and paste the following lines:
 

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728
tcp.path_mtu_discovery=0

3) Save and run "service sysctl restart" for the settings to take effect.

I suggest to combine these settings with rate limiting through pf for best effect.

  • Love 5

Currently working on my FreeBSD blog:

FreeBSD is Fun, practical tutorials and articles

⚠️                Are you under attack?               ⚠️

Link to comment
Share on other sites

There are a new way to propagate DDOS attacks based on NTP (Network Time Protocol).

The version avaliable on the FreeBSD ports is still vulnerable and they have disabled it wich made me unable to upgrade to the latest version.

There are some articles about how to prevent "DDOS NTP Amplification".

I've got mine disabled until it is upgraded on (FreeBSD Ports) to the latest version.

Here's an image explaining how this type of attacks work using a Dedicated Server as an DDOS Amplificator throught the NTP vulnerability:

illustration-amplification-attack-ph3.pn

Edited by Metin2 Dev
Core X - External 2 Internal
  • Love 1
Link to comment
Share on other sites

  • Premium

Yeah I received a letter from Worldstream about it and changed some settings in ntpd.conf to disable the NTP server capabilities

 

If you don't use ntp you aren't affected

Currently working on my FreeBSD blog:

FreeBSD is Fun, practical tutorials and articles

⚠️                Are you under attack?               ⚠️

Link to comment
Share on other sites

  • 4 weeks later...

I have had a huge problem with ntp attacks too and i didn't find any solution.

Also my webhosting company kicked me out just because they were unable to filter it -.-

If anyone can make a tutorial on how to completely remove it it would be nice.

I don't see any reason of using it if i can set the time on my own.

 

Edit:

@Shogun how does worldstream allow you to host your server there?I thought with a simple fake dmca letter anyone could take down a metin2 server hosted there.

Link to comment
Share on other sites

Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too.

Yes that's true.

 

Anyways if anyone could do a tutorial on how to remove ntp completely it would be nice because i have upgraded to FreeBSD 10.0 and i was still vulnerable.Also i have tried upgrading to the latest version which was 4.2.6 instead of 4.2.7 i don't know why :S

Link to comment
Share on other sites

  • Premium

Just remove it from rc.conf, or if you want to use NTP but not be vulnerable to your machine getting used for reflection attacks, edit /etc/ntpf.conf and uncomment the line that says "restrict default ignore".

  • Love 1

Currently working on my FreeBSD blog:

FreeBSD is Fun, practical tutorials and articles

⚠️                Are you under attack?               ⚠️

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.


  • Metin2 Dev Github
  • Activity

    1. 0

      max level exp

    2. 8

      Quest States Core Crash Item Dupe Bug Fix

    3. 23

      Umbra / Soft4Win / SNap! scammer exposed!

    4. 46

      Ship Defense (Hydra Dungeon)

    5. 10

      Rodnia Glory | A REAL SPEED SERVER | Start 02.09.2022

    6. 0

      Avery seeks an experienced team manager

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.